FortiGate CLI Reference 01-30005-0015-20070803

www.fortinet.
com
FortiGate CLI
Version 3.0 MR5
R E F E R E N C E
Visit http://support.fortinet.com to register your FortiGate CLI product. By registering you can receive product
updates, technical support, and FortiGuard services.
FortiGate CLI Reference
Version 3.0 MR5
3 August 2007
01-30005-0015-20070803
Copyright 2007 Fortinet, Inc. All rights reserved. No part of this
publication including text, examples, diagrams or illustrations may be
reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose,
without prior written permission of Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC,
FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat
Management System, FortiGuard, FortiGuard Antispam, FortiGuard
Antivirus, FortiGuard Intrusion Pervention, FortiGuard Web Filtering,
FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner,
FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and
FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other
countries. The names of actual companies and products mentioned
herein may be the trademarks of their respective owners.
Contents
FortiGate CLI Version 3.0 MR5 Reference
01-30005-0015-20070803 3
Contents
Introduction ...................................................................................... 15
About the FortiGate Unified Threat Management System........................... 15
About this document ....................................................................................... 15
FortiGate documentation ................................................................................ 16
Related documentation ................................................................................... 17
FortiManager documentation...................................................................... 17
FortiClient documentation........................................................................... 18
FortiMail documentation.............................................................................. 18
FortiAnalyzer documentation ...................................................................... 18
Fortinet Tools and Documentation CD........................................................ 18
Fortinet Knowledge Center ......................................................................... 18
Comments on Fortinet technical documentation......................................... 19
Customer service and technical support ...................................................... 19
Register your Fortinet product ....................................................................... 19
Whats new ....................................................................................... 21
Using the CLI .................................................................................... 27
CLI command syntax....................................................................................... 27
Administrator access ...................................................................................... 28
Connecting to the CLI ..................................................................................... 30
Connecting to the FortiGate console........................................................... 30
Setting administrative access on an interface............................................. 31
Connecting to the FortiGate CLI using SSH ............................................... 31
Connecting to the FortiGate CLI using Telnet............................................. 32
Connecting to the FortiGate CLI using the web-based manager................ 32
CLI objects ....................................................................................................... 33
CLI command branches .................................................................................. 33
config branch............................................................................................... 34
get branch................................................................................................... 36
show branch................................................................................................ 38
execute branch............................................................................................ 39
diagnose branch.......................................................................................... 39
Example command sequences................................................................... 39
CLI basics......................................................................................................... 43
Command help............................................................................................ 43
Command completion................................................................................. 43
Recalling commands................................................................................... 44
Editing commands....................................................................................... 44
Line continuation......................................................................................... 44
Command abbreviation............................................................................... 44
4 01-30005-0015-20070803
Contents
Environment variables ................................................................................ 44
Encrypted password support ...................................................................... 45
Entering spaces in strings........................................................................... 45
Entering quotation marks in strings............................................................. 45
Entering a question mark (?) in a string...................................................... 45
International characters .............................................................................. 46
Special characters ...................................................................................... 46
IP address formats...................................................................................... 46
Editing the configuration file........................................................................ 46
Setting screen paging................................................................................. 47
Changing the baud rate .............................................................................. 47
Using Perl regular expressions................................................................... 47
Working with virtual domains......................................................... 51
Enabling virtual domain configuration.......................................................... 51
Accessing commands in virtual domain configuration............................... 51
Creating and configuring VDOMs .................................................................. 52
Creating a VDOM........................................................................................ 52
Assigning interfaces to a VDOM................................................................. 52
Setting VDOM operating mode................................................................... 52
Changing back to NAT/Route mode........................................................... 53
Configuring inter-VDOM routing .................................................................... 53
Changing the management VDOM................................................................. 54
Creating VDOM administrators ...................................................................... 54
Troubleshooting ARP traffic on VDOMs ....................................................... 55
Duplicate ARP packets ............................................................................... 55
Multiple VDOMs solution............................................................................. 55
Forward-domain solution............................................................................ 55
global ................................................................................................................ 57
vdom................................................................................................................. 60
alertemail .......................................................................................... 63
setting............................................................................................................... 64
antivirus ............................................................................................ 69
filepattern ......................................................................................................... 70
grayware........................................................................................................... 72
heuristic............................................................................................................ 74
quarantine ........................................................................................................ 75
quarfilepattern ................................................................................................. 77
service .............................................................................................................. 78
Contents
01-30005-0015-20070803 5
firewall ............................................................................................... 81
address, address6 ........................................................................................... 82
addrgrp, addrgrp6............................................................................................ 84
dnstranslation .................................................................................................. 85
ipmacbinding setting....................................................................................... 86
ipmacbinding table.......................................................................................... 88
ippool ................................................................................................................ 89
multicast-policy ............................................................................................... 90
policy, policy6.................................................................................................. 92
profile.............................................................................................................. 101
schedule onetime .......................................................................................... 123
schedule recurring ........................................................................................ 124
service custom............................................................................................... 126
service group ................................................................................................. 128
service predefined ......................................................................................... 129
vip.................................................................................................................... 130
vipgrp.............................................................................................................. 135
gui .................................................................................................... 137
console ........................................................................................................... 138
topology.......................................................................................................... 139
imp2p............................................................................................... 141
aim-user .......................................................................................................... 142
icq-user ........................................................................................................... 143
msn-user......................................................................................................... 144
old-version ..................................................................................................... 145
policy .............................................................................................................. 146
yahoo-user ..................................................................................................... 147
ips .................................................................................................... 149
anomaly .......................................................................................................... 150
config limit................................................................................................. 150
custom............................................................................................................ 154
global .............................................................................................................. 155
group............................................................................................................... 157
config rule <rule-name_str>...................................................................... 157
6 01-30005-0015-20070803
Contents
log.................................................................................................... 161
{disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter ... 162
disk setting..................................................................................................... 167
fortianalyzer setting ...................................................................................... 170
fortiguard setting........................................................................................... 172
memory setting.............................................................................................. 173
syslogd setting .............................................................................................. 174
webtrends setting.......................................................................................... 176
trafficfilter ....................................................................................................... 177
config rule ................................................................................................. 177
report customization ..................................................................................... 179
report definition ............................................................................................. 180
report filter ..................................................................................................... 181
report output .................................................................................................. 182
report period .................................................................................................. 184
report schedule.............................................................................................. 185
report scope................................................................................................... 186
report selection.............................................................................................. 188
report summary-layout ................................................................................. 189
router............................................................................................... 191
access-list ...................................................................................................... 192
aspath-list....................................................................................................... 194
bgp .................................................................................................................. 196
config router bgp....................................................................................... 198
config admin-distance............................................................................... 201
config aggregate-address ......................................................................... 202
config neighbor ......................................................................................... 202
config network........................................................................................... 206
config redistribute...................................................................................... 207
community-list ............................................................................................... 209
key-chain ........................................................................................................ 212
multicast ......................................................................................................... 214
Sparse mode............................................................................................. 214
Dense mode.............................................................................................. 215
Command syntax pattern.......................................................................... 215
config router multicast............................................................................... 216
config interface.......................................................................................... 218
config pim-sm-global................................................................................. 220
Contents
01-30005-0015-20070803 7
ospf ................................................................................................................. 224
Command syntax pattern.......................................................................... 224
config router ospf ...................................................................................... 226
config area ................................................................................................ 228
config distribute-list ................................................................................... 232
config neighbor.......................................................................................... 233
config network........................................................................................... 233
config ospf-interface.................................................................................. 234
config summary-address........................................................................... 237
policy .............................................................................................................. 239
prefix-list......................................................................................................... 242
rip .................................................................................................................... 245
config router rip......................................................................................... 246
config distance.......................................................................................... 247
config distribute-list ................................................................................... 248
config interface.......................................................................................... 248
config neighbor.......................................................................................... 250
config network........................................................................................... 250
config offset-list......................................................................................... 251
route-map ....................................................................................................... 253
Using route maps with BGP ...................................................................... 255
static ............................................................................................................... 259
static6 ............................................................................................................. 261
spamfilter ........................................................................................ 263
bword .............................................................................................................. 264
emailbwl .......................................................................................................... 267
fortishield ....................................................................................................... 269
ipbwl ................................................................................................................ 271
iptrust.............................................................................................................. 273
mheader .......................................................................................................... 274
options............................................................................................................ 276
DNSBL ............................................................................................................ 277
switch .............................................................................................. 279
global .............................................................................................................. 280
mac-address-table......................................................................................... 282
port-quarantine client-profile........................................................................ 283
port-quarantine dynamic-policy ................................................................... 284
8 01-30005-0015-20070803
Contents
port-quarantine strict-policy......................................................................... 285
QoS................................................................................................................. 286
spanning-tree................................................................................................. 287
switchport ...................................................................................................... 288
system............................................................................................. 291
accprofile........................................................................................................ 292
admin .............................................................................................................. 295
alertemail ........................................................................................................ 298
arp-table ......................................................................................................... 299
auto-install ..................................................................................................... 300
autoupdate clientoverride............................................................................. 301
autoupdate ips ............................................................................................... 302
autoupdate override...................................................................................... 303
autoupdate push-update............................................................................... 304
autoupdate schedule..................................................................................... 306
autoupdate tunneling .................................................................................... 308
aux .................................................................................................................. 310
bug-report ...................................................................................................... 311
console........................................................................................................... 312
dhcp reserved-address ................................................................................. 313
dhcp server .................................................................................................... 314
dns .................................................................................................................. 317
fm .................................................................................................................... 318
fortianalyzer, fortianalyzer2, fortianalyzer3 ................................................ 320
fortiguard........................................................................................................ 322
fortiguard-log ................................................................................................. 325
global .............................................................................................................. 326
gre-tunnel ....................................................................................................... 335
ha .................................................................................................................... 337
interface.......................................................................................................... 346
ipv6-tunnel ..................................................................................................... 361
mac-address-table......................................................................................... 362
modem............................................................................................................ 363
npu .................................................................................................................. 366
proxy-arp ........................................................................................................ 367
replacemsg admin ......................................................................................... 368
Contents
01-30005-0015-20070803 9
replacemsg alertmail ..................................................................................... 369
replacemsg auth ............................................................................................ 371
replacemsg fortiguard-wf.............................................................................. 374
replacemsg ftp ............................................................................................... 376
replacemsg hostcheck .................................................................................. 378
replacemsg http ............................................................................................. 380
replacemsg im................................................................................................ 382
replacemsg mail ............................................................................................. 384
replacemsg nntp ............................................................................................ 386
replacemsg spam .......................................................................................... 388
replacemsg sslvpn ........................................................................................ 390
session-helper ............................................................................................... 391
session-ttl ....................................................................................................... 392
settings ........................................................................................................... 393
snmp community ........................................................................................... 396
snmp sysinfo.................................................................................................. 400
tos-based-priority .......................................................................................... 402
vdom-link........................................................................................................ 403
wireless mac-filter ......................................................................................... 405
wireless settings............................................................................................ 406
zone................................................................................................................. 409
user.................................................................................................. 411
Configuring users for authentication .......................................................... 412
Configuring users for password authentication......................................... 412
Configuring peers for certificate authentication......................................... 412
adgrp............................................................................................................... 413
fsae.................................................................................................................. 414
group............................................................................................................... 416
ldap ................................................................................................................. 420
local................................................................................................................. 423
peer ................................................................................................................. 425
peergrp ........................................................................................................... 427
radius .............................................................................................................. 428
10 01-30005-0015-20070803
Contents
vpn................................................................................................... 431
certificate ca................................................................................................... 432
certificate crl .................................................................................................. 433
certificate local .............................................................................................. 435
certificate ocsp .............................................................................................. 436
certificate remote........................................................................................... 437
ipsec concentrator ........................................................................................ 438
ipsec forticlient .............................................................................................. 439
ipsec manualkey............................................................................................ 440
ipsec manualkey-interface............................................................................ 443
ipsec phase1.................................................................................................. 446
ipsec phase1-interface.................................................................................. 454
ipsec phase2.................................................................................................. 463
ipsec phase2-interface.................................................................................. 470
l2tp .................................................................................................................. 477
pptp................................................................................................................. 479
ssl monitor ..................................................................................................... 481
ssl settings..................................................................................................... 482
ssl web bookmarks ....................................................................................... 485
ssl web bookmarks-group ............................................................................ 487
ssl web favorite.............................................................................................. 488
webfilter .......................................................................................... 491
bword.............................................................................................................. 492
exmword......................................................................................................... 494
fortiguard........................................................................................................ 496
FortiGuard-Web category blocking........................................................... 496
ftgd-local-cat .................................................................................................. 499
ftgd-local-rating ............................................................................................. 500
ftgd-ovrd......................................................................................................... 501
urlfilter ............................................................................................................ 503
execute............................................................................................ 505
backup ............................................................................................................ 506
batch ............................................................................................................... 508
cfg reload ....................................................................................................... 509
cfg save .......................................................................................................... 510
clear system arp table................................................................................... 511
Contents
01-30005-0015-20070803 11
cli ..................................................................................................................... 512
date ................................................................................................................. 513
deploy ............................................................................................................. 514
dhcp lease-clear............................................................................................. 515
dhcp lease-list ................................................................................................ 516
disconnect-admin-session ........................................................................... 517
factoryreset .................................................................................................... 518
formatlogdisk ................................................................................................. 519
fortiguard-log delete...................................................................................... 520
fortiguard-log update .................................................................................... 521
fsae refresh .................................................................................................... 522
ha disconnect................................................................................................. 523
ha manage...................................................................................................... 524
ha synchronize............................................................................................... 526
interface dhcpclient-renew ........................................................................... 528
interface pppoe-reconnect............................................................................ 529
log delete-all ................................................................................................... 530
log delete-filtered........................................................................................... 531
log delete-rolled ............................................................................................. 532
log display ...................................................................................................... 533
log filter........................................................................................................... 534
log fortianalzyer test-connectivity ............................................................... 536
log list ............................................................................................................. 537
log roll ............................................................................................................. 538
log stats display............................................................................................. 539
log stats reset ................................................................................................ 541
modem dial ..................................................................................................... 542
modem hangup .............................................................................................. 543
mrouter clear .................................................................................................. 544
ping ................................................................................................................. 545
ping-options ................................................................................................... 546
ping6 ............................................................................................................... 548
reboot.............................................................................................................. 549
restore............................................................................................................. 550
router clear bgp ............................................................................................. 552
router clear bfd .............................................................................................. 553
12 01-30005-0015-20070803
Contents
router clear ospf process ............................................................................. 554
router restart .................................................................................................. 555
set-next-reboot .............................................................................................. 556
shutdown........................................................................................................ 557
ssh .................................................................................................................. 558
telnet ............................................................................................................... 559
time ................................................................................................................. 560
traceroute....................................................................................................... 561
update-av........................................................................................................ 562
update-ips ...................................................................................................... 563
update-now .................................................................................................... 564
upd-vd-license ............................................................................................... 565
usb-disk.......................................................................................................... 566
vpn certificate local ....................................................................................... 567
vpn certificate ca ........................................................................................... 570
vpn certificate crl ........................................................................................... 572
vpn certificate remote ................................................................................... 573
vpn sslvpn del-tunnel.................................................................................... 574
vpn sslvpn del-web ....................................................................................... 575
get.................................................................................................... 577
chassis status................................................................................................ 578
gui console status ......................................................................................... 581
gui topology status ....................................................................................... 582
hardware status ............................................................................................. 583
ips anomaly status ........................................................................................ 584
ips custom status .......................................................................................... 586
ips group status............................................................................................. 587
ipsec tunnel list ............................................................................................. 589
router info bgp ............................................................................................... 590
router info bfd ................................................................................................ 592
router info multicast ...................................................................................... 593
router info ospf .............................................................................................. 595
router info protocols ..................................................................................... 597
router info rip ................................................................................................. 598
router info routing-table ............................................................................... 599
system admin list .......................................................................................... 600
Contents
01-30005-0015-20070803 13
system admin status ..................................................................................... 601
system arp...................................................................................................... 602
system central-mgmt status ......................................................................... 603
system checksum.......................................................................................... 604
system cmdb status ...................................................................................... 605
system dashboard ......................................................................................... 606
system fortianalyzer-connectivity................................................................ 607
system fortiguard-log-service status........................................................... 608
system fortiguard-service status ................................................................. 609
system ha status............................................................................................ 610
system info admin ssh .................................................................................. 613
system info admin status.............................................................................. 614
system performance status .......................................................................... 615
system session list ........................................................................................ 617
system status................................................................................................. 618
Index................................................................................................ 619
14 01-30005-0015-20070803
Contents
Introduction About the FortiGate Unified Threat Management System
01-30005-0015-20070803 15
Introduction
This chapter introduces you to the FortiGate Unified Threat Management System
and the following topics:
About the FortiGate Unified Threat Management System
About this document
FortiGate documentation
Related documentation
Customer service and technical support
Register your Fortinet product
About the FortiGate Unified Threat Management System
The FortiGate Unified Threat Management System supports network-based
deployment of application-level services, including virus protection and full-scan
content filtering. FortiGate units improve network security, reduce network misuse
and abuse, and help you use communications resources more efficiently without
compromising the performance of your network.
The FortiGate unit is a dedicated easily managed security device that delivers a
full suite of capabilities that include:
application-level services such as virus protection and content filtering,
network-level services such as firewall, intrusion detection, VPN, and traffic
shaping.
The FortiGate unit employs Fortinets Accelerated Behavior and Content Analysis
System (ABACAS) technology, which leverages breakthroughs in chip design,
networking, security, and content analysis. The unique ASIC-based architecture
analyzes content and behavior in real-time, enabling key applications to be
deployed right at the network edge where they are most effective at protecting
your networks. The FortiGate series complements existing solutions, such as
host-based antivirus protection, and enables new applications and services while
greatly lowering costs for equipment, administration, and maintenance.
About this document
This document describes how to use the FortiGate Command Line Interface
(CLI). This document contains the following chapters:
Using the CLI describes how to connect to and use the FortiGate CLI.
Working with virtual domains describes how to create and administer multiple
VDOMs. It also explains how enabling vdom-admin changes the way you work
with the CLI.
alertemail is an alphabetic reference to the commands used to configure
alertemail.
16 01-30005-0015-20070803
FortiGate documentation Introduction
antivirus is an alphabetic reference to the commands used to configure
antivirus features.
firewall is an alphabetic reference to the commands used to configure firewall
policies and settings.
gui is an alphabetic reference to the commands used to set preferences for the
web-based manager CLI console and topology viewer.
imp2p is an alphabetic reference to the commands used to configure user
access to Instant Messaging and Person-to-Person applications.
ips is an alphabetic reference to the commands used to configure intrusion
detection and prevention features.
log is an alphabetic reference to the commands used to configure logging.
router is an alphabetic reference to the commands used to configure routing.
spamfilter is an alphabetic reference to the commands used to configure spam
filtering features.
switch is an alphabetic reference to the commands used to configure the
secure switch features of the FortiGate-224B unit.
system is an alphabetic reference to the commands used to configure the
FortiGate system settings.
user is an alphabetic reference to the commands used to configure authorized
user accounts and groups.
vpn is an alphabetic reference to the commands used to configure FortiGate
VPNs.
webfilter is an alphabetic reference to the commands used to configure web
content filtering.
execute is an alphabetic reference to the execute commands, which provide
some useful utilities such as ping and traceroute, and some commands used
for maintenance tasks.
get is an alphabetic reference to commands that retrieve status information
about the FortiGate unit.
FortiGate documentation
Information about FortiGate products is available from the following guides:
FortiGate QuickStart Guide
Provides basic information about connecting and installing a FortiGate unit.
FortiGate Installation Guide
Describes how to install a FortiGate unit. Includes a hardware reference,
default configuration information, installation procedures, connection
procedures, and basic configuration procedures. Choose the guide for your
product model number.
Note: Diagnose commands are also available from the FortiGate CLI. These commands
are used to display system information and for debugging. Diagnose commands are
intended for advanced users only, and they are not covered in this document. Contact
Fortinet technical support before using these commands.
Introduction Related documentation
01-30005-0015-20070803 17
FortiGate Administration Guide
Provides basic information about how to configure a FortiGate unit, including
how to define FortiGate protection profiles and firewall policies; how to apply
intrusion prevention, antivirus protection, web content filtering, and spam
filtering; and how to configure a VPN.
FortiGate online help
Provides a context-sensitive and searchable version of the Administration
Guide in HTML format. You can access online help from the web-based
manager as you work.
FortiGate CLI Reference
Describes how to use the FortiGate CLI and contains a reference to all
FortiGate CLI commands.
FortiGate Log Message Reference
Describes the structure of FortiGate log messages and provides information
about the log messages that are generated by FortiGate units.
FortiGate High Availability User Guide
Contains in-depth information about the FortiGate high availability feature and
the FortiGate clustering protocol.
FortiGate IPS User Guide
Describes how to configure the FortiGate Intrusion Prevention System settings
and how the FortiGate IPS deals with some common attacks.
FortiGate IPSec VPN User Guide
Provides step-by-step instructions for configuring IPSec VPNs using the web-
based manager.
FortiGate SSL VPN User Guide
Compares FortiGate IPSec VPN and FortiGate SSL VPN technology, and
describes how to configure web-only mode and tunnel-mode SSL VPN access
for remote users through the web-based manager.
FortiGate PPTP VPN User Guide
Explains how to configure a PPTP VPN using the web-based manager.
FortiGate Certificate Management User Guide
Contains procedures for managing digital certificates including generating
certificate requests, installing signed certificates, importing CA root certificates
and certificate revocation lists, and backing up and restoring installed
certificates and private keys.
FortiGate VLANs and VDOMs User Guide
Describes how to configure VLANs and VDOMS in both NAT/Route and
Transparent mode. Includes detailed examples.
Related documentation
Additional information about Fortinet products is available from the following
related documentation.
FortiManager documentation
FortiManager QuickStart Guide
Explains how to install the FortiManager Console, set up the FortiManager
Server, and configure basic settings.
18 01-30005-0015-20070803
Related documentation Introduction
FortiManager System Administration Guide
Describes how to use the FortiManager System to manage FortiGate devices.
FortiManager System online help
Provides a searchable version of the Administration Guide in HTML format.
You can access online help from the FortiManager Console as you work.
FortiClient documentation
FortiClient Host Security User Guide
Describes how to use FortiClient Host Security software to set up a VPN
connection from your computer to remote networks, scan your computer for
viruses, and restrict access to your computer and applications by setting up
firewall policies.
FortiClient Host Security online help
Provides information and procedures for using and configuring the FortiClient
software.
FortiMail documentation
FortiMail Administration Guide
Describes how to install, configure, and manage a FortiMail unit in gateway
mode and server mode, including how to configure the unit; create profiles and
policies; configure antispam and antivirus filters; create user accounts; and set
up logging and reporting.
FortiMail online help
You can access online help from the web-based manager as you work.
FortiMail Web Mail Online Help
Describes how to use the FortiMail web-based email client, including how to
send and receive email; how to add, import, and export addresses; and how to
configure message display preferences.
FortiAnalyzer documentation
FortiAnalyzer Administration Guide
Describes how to install and configure a FortiAnalyzer unit to collect FortiGate
and FortiMail log files. It also describes how to view FortiGate and FortiMail log
files, generate and view log reports, and use the FortiAnalyzer unit as a NAS
server.
FortiAnalyzer online help
You can access online help from the web-based manager as you work.
Fortinet Tools and Documentation CD
All Fortinet documentation is available from the Fortinet Tools and Documentation
CD shipped with your Fortinet product. The documents on this CD are current for
your product at shipping time. For the latest versions of all Fortinet documentation
see the Fortinet Technical Documentation web site at http://docs.forticare.com.
Introduction Customer service and technical support
01-30005-0015-20070803 19
Fortinet Knowledge Center
The most recent Fortinet technical documentation is available from the Fortinet
Knowledge Center. The knowledge center contains short how-to articles, FAQs,
technical notes, product and feature guides, and much more. Visit the Fortinet
Knowledge Center at http://kc.forticare.com.
Comments on Fortinet technical documentation
Please send information about any errors or omissions in this document, or any
Fortinet technical documentation, to techdoc@fortinet.com.
Customer service and technical support
Fortinet Technical Support provides services designed to make sure that your
Fortinet systems install quickly, configure easily, and operate reliably in your
network.
Please visit the Fortinet Technical Support web site at http://support.fortinet.com
to learn about the technical support services that Fortinet provides.
Register your Fortinet product
Register your Fortinet product to receive Fortinet customer services such as
product updates and technical support. You must also register your product for
FortiGuard services such as FortiGuard Antivirus and Intrusion Prevention
updates and for FortiGuard Web Filtering and AntiSpam.
Register your product by visiting http://support.fortinet.com and selecting Product
Registration.
To register, enter your contact information and the serial numbers of the Fortinet
products that you or your organization have purchased. You can register multiple
Fortinet products in a single session without re-entering your contact information.
20 01-30005-0015-20070803
Register your Fortinet product Introduction
Whats new
01-30005-0015-20070803 21
Whats new
The tables below list commands which have changed since the previous release, MR4.
Command Change
conf i g ant i vi r us quar ant i ne
set enabl e- aut o- submi t Removed keyword.
set sel - st at us Removed keyword.
set use- f pat Removed keyword.
set use- st at us Removed keyword.
conf i g f i r ewal l mul t i cast - pol i cy
edi t 
set dnat New keyword. Sets address for destination NAT.
conf i g f i r ewal l pol i cy, pol i cy6
set secur e- vl an New command, available only on the FortiGate-22b unit in
switch view. Creates an intra-vlan firewall policy.
conf i g gl obal These configurations apply globally.
conf i g f i r ewal l ser vi ce Added.
conf i g gui consol e Added.
conf i g syst emconsol e Added.
conf i g syst emf or t i guar d Added.
conf i g syst emr epl acemsg Added.
conf i g vpn cer t i f i cat e Added.
execut e cent r al - mgmt Added.
execut e cf g Added.
execut e updat e- i ps Added.
execut e updat e- now Added.
conf i g gui consol e New command. Configures web-based manager CLI console.
conf i g gui t opol ogy New command. Configures web-based manager topology
viewer.
conf i g i ps anomal y <name_st r >
conf i g l i mi t
set dst - i p New keyword. Sets the ip address and netmask of the
destination network.
set i paddr ess Removed keyword.
set ser vi ce New keyword. Sets the port number used by the anomaly
within the limit.
set sr c- i p New keyword. Sets the ip address and netmask of the source
network.
22 01-30005-0015-20070803
Whats new
conf i g l og di sk set t i ng
set upl oadt ype cont ent Removed cont ent option.
set upl oad- dest i nat i on New keyword. Sets destination for uploaded logs to
f or t i anal yzer or f t p- ser ver .
conf i g l og r epor t cust omi zat i on
set f oot er New keyword. Can enter the footer comment without selecting
f oot er - opt i on cust om.
conf i g l og r epor t scope
set audi t New keyword. Sets the top number of values in all audit
reports.
conf i g spamf i l t er DNSBL Renamed from spamf i l t er r bl .
conf i g spamf i l t er r bl Renamed to spamf i l t er DNSBL.
conf i g swi t ch New commands for FortiGate-224B unit only. These
commands configure switch security features when the unit is
in switch view.
conf i g syst emdhcp ser ver
edi t <dhcpser ver name>
set conf l i ct ed- i p- t i meout New keyword. Sets time to wait before a conflicted IP address
is removed from the DHCP range.
conf i g syst emf m
set aut o- backup New keyword. Enables automatic configuration backup on the
FortiGate unit via Central Management feature.
set schedul ed- conf i g- r est or e New keyword. Enables a scheduled restore of a configuration
from FortiManager to the FortiGate unit.
conf i g syst emf or t i guar d
set cent r al - mgmt - st at us New keyword. Enables the Central Management feature.
set cent r al - management - aut o- backup New keyword. Enables auto-backup of the FortiGate unit
configuration via Central Management.
set cent r al - mgmt - schedul ed- conf i g-
r est or e
New keyword. Enables a scheduled restore of a configuration
from Central Management to the FortiGate unit.
set cent r al - management - schedul ed-
upgr ade
New keyword. Enables scheduled configuration backup via
Central Management.
set ser vi ce- account - i d New keyword. Sets account ID for FortiGuard services.
Command Change
Whats new
01-30005-0015-20070803 23
conf i g syst emgl obal
set admi n- ht t ps- pki - r equi r ed New keyword. Enables user to log in by providing a valid
certificate if PKI is enabled for HTTPS administrative access.
set admi n- mai nt ai ner New keyword. Can disable built-in Maintainer account.
set aut h- cer t New keyword. Sets server certificate for policy authentication.
set f or t i cl i ent - por t al - por t New keyword. Sets HTTP port for users to download
FortiClient Host Security application.
set i nt er nal - swi t ch- mode New keyword. Sets internal switch either interface or switch
mode on supported models.
set i nt er nal - swi t ch- speed New keyword. Sets the speed of the internal interface switch.
set swi t ch- vi ew New keyword. Available on FortiGate-224B unit only. Enables
switch security features, including intra-VLAN policies.
set t p- mc- ski p- pol i cy New keyword. Enables skipping of policy check and enables
multicast to pass.
set user - ser ver - cer t New keyword. Selects the certificate to use for HTTPS user
authentication.
conf i g syst emha
set over r i de In a virtual cluster configuration over r i de is enabled for
virtual cluster 1 and virtual cluster 2 when you enter set
vcl ust er 2 enabl e to enable virtual cluster 2.
conf i g syst emi nt er f ace
edi t 
set al i as New keyword. Sets an alternate name for a physical interface.
set f p- anomal y New keyword. Selects applications to enable for per-port fast
path anomaly protection on AMC ports.
set i cmp- r edi r ect New keyword. Can disable ICMP redirect on this interface.
set medi at ype New keyword. Selects SERDES or SGMII card type for your
FB4 card on AMC interfaces.
set peer - i nt er f ace New keyword. Defines a peer interface.
set t ype New option l oopback creates a loopback interface.
conf i g syst emi pv6- t unnel
edi t <t unnel _name>
set i p6 <addr ess_i pv6> New keyword. Sets IPv6 address for the tunnel.
conf i g syst emnpu New command. Configures the Network Processing Unit
for FortiGate units that support FB4.
conf i g syst emr epl acemsg host check New command. Enables modification of host check-related
replacement messages.
conf i g user peer
edi t <peer _name>
set cn- t ype i pv6 New option i pv6 for for authentication of IPv6 IPSec.
conf i g user r adi us
edi t <ser ver _name>
set al l - user gr oup New keyword. Includes this RADIUS server in all user groups.
Command Change
24 01-30005-0015-20070803
Whats new
conf i g vdom These configurations apply per VDOM.
edi t <vdom_name>
conf i g al er t emai l Removed.
conf i g gui Added.
conf i g syst emar p- t abl e Added.
conf i g syst empr oxy- ar p Added.
conf i g syst emset t i ngs Added.
execut e bat ch Removed.
conf i g vpn i psec manual key encr ypt i on and aut hent i cat i on cannot both be nul l .
You cannot create a VPN with no encryption and no
authentication.
conf i g vpn i psec manual key- i nt er f ace enc- al g and aut h- al g cannot both be nul l . You cannot
create a VPN with no encryption and no authentication.
set i p- ver si on New keyword. Set i p- ver si on to 4 for IPv4 or 6 for IPv6.
set l ocal - gw6 New keyword. Applies instead of l ocal - gwwhen
i p- ver si on is 6.
set r emot e- gw6 New keyword. Applies instead of r emot e- gwwhen
conf i g vpn i psec phase1- i nt er f ace
edi t <gat eway_name>
set i p- ver si on New keyword. Set i p- ver si on to 4 for IPv4 or 6 for IPv6.
set l ocal - gw6 New keyword. Applies instead of l ocal - gwwhen
set r emot e- gw6 New keyword. Applies instead of r emot e- gwwhen
conf i g vpn i psec phase2
set pr oposal Removed nul l - nul l option from pr oposal keyword. You
cannot create a VPN with no encryption and no
authentication.
set dst - end- i p6 New keyword. IPv6 equivalent to dst - end- i p.
set dst - st ar t - i p6 New keyword. IPv6 equivalent to dst - st ar t - i p.
set dst - subnet 6 New keyword. IPv6 equivalent to dst - subnet .
set pr oposal Removed nul l - nul l option from pr oposal keyword. You
cannot create a VPN with no encryption and no
authentication.
set sr c- addr - t ype Added i p6, r ange6, subnet 6 options for IPv6 addresses.
set sr c- end- i p6 New keyword. IPv6 equivalent to sr c- end- i p.
set sr c- st ar t - i p6 New keyword. IPv6 equivalent to sr c- st ar t - i p.
set sr c- subnet 6 New keyword. IPv6 equivalent to sr c- subnet .
conf i g vpn ssl set t i ngs
set ur l - obscur at i on New keyword. Encrypts hostname of URL displayed to user.
conf i g vpn ssl web bookmar ks New command. Predefines bookmarks for SSL VPN users.
Command Change
Whats new
01-30005-0015-20070803 25
conf i g vpn ssl web bookmar ks- gr oup New command. Predefines bookmark groups for SSL VPN
users.
execut e backup conf i g management -
st at i on
New command. Backs up the system configuration to a
configured management station.
execut e bat ch l ast l og New command. Lists the results of the last batch commands.
execut e cl i st at us- msg- onl y New command. Enables standardized output of CLI error
messages.
execut e r est or e conf i g management -
st at i on
New command. Restores the system configuration from a
configured management station.
execut e vpn ssl vpn del - web New command. Deletes an active SSL VPN web connection.
get gui consol e st at us New command. Displays information about the CLI console.
get gui t opol ogy st at us New command. Displays information about the web-based
manager topology viewer database.
get syst emcent r al - mgmt st at us New command. Displays information about the Central
Management service.
Command Change
26 01-30005-0015-20070803
Whats new
Using the CLI CLI command syntax
01-30005-0015-20070803 27
Using the CLI
This chapter explains how to connect to the CLI and describes the basics of using
the CLI. You can use CLI commands to view all system information and to change
all system configuration settings.
This chapter describes:
CLI command syntax
Administrator access
Connecting to the CLI
CLI objects
CLI command branches
CLI basics
CLI command syntax
This guide uses the following conventions to describe command syntax.
Angle brackets < > to indicate variables.
For example:
execut e r est or e conf i g <f i l ename_st r >
You enter:
execut e r est or e conf i g myf i l e. bak
<xxx_i pv4>indicates a dotted decimal IPv4 address.
<xxx_v4mask>indicates a dotted decimal IPv4 netmask.
<xxx_i pv4mask>indicates a dotted decimal IPv4 address followed by a
dotted decimal IPv4 netmask.
<xxx_i pv6>indicates an IPv6 address.
<xxx_v6mask>indicates an IPv6 netmask.
<xxx_i pv6mask>indicates an IPv6 address followed by an IPv6 netmask.
Vertical bar and curly brackets {| } to separate alternative, mutually exclusive
required keywords.
For example:
set opmode {nat | t r anspar ent }
You can enter set opmode nat or set opmode t r anspar ent .
Square brackets [ ] to indicate that a keyword or variable is optional.
For example:
show syst emi nt er f ace [ <name_st r >]
To show the settings for all interfaces, you can enter show syst em
i nt er f ace. To show the settings for the internal interface, you can enter
show syst emi nt er f ace i nt er nal .
28 01-30005-0015-20070803
Administrator access Using the CLI
A space to separate options that can be entered in any combination and must
be separated by spaces.
For example:
set al l owaccess {pi ng ht t ps ssh snmp ht t p t el net }
You can enter any of the following:
set al l owaccess pi ng
set al l owaccess pi ng ht t ps ssh
set al l owaccess ht t ps pi ng ssh
set al l owaccess snmp
In most cases to make changes to lists that contain options separated by
spaces, you need to retype the whole list including all the options you want to
apply and excluding all the options you want to remove.
Administrator access
The access profile you are assigned in your administrator account controls which
CLI commands you can access. You need read access to view configurations and
write access to make changes. Access control in access profiles is divided into
groups, as follows:
Table 1: Access profile control of access to CLI commands
Access control group Available CLI commands
Admin Users (admingrp) syst emadmi n
syst emaccpr of i l e
Antivirus Configuration (avgrp) ant i vi r us
Auth Users (authgrp) user
Firewall Configuration (fwgrp) f i r ewal l
FortiProtect Update (updategrp) syst emaut oupdat e
execut e updat e- av
execut e updat e- i ps
execut e updat e- now
IPS Configuration (ipsgrp) i ps
Log & Report (loggrp) al er t emai l
l og
syst emf or t i anal yzer
execut e l og
Maintenance (mntgrp) execut e backup
execut e bat ch
execut e f or mat l ogdi sk
execut e r est or e
execut e usb- di sk
Using the CLI Administrator access
01-30005-0015-20070803 29
Network Configuration (netgrp) syst emar p- t abl e
syst emdhcp
syst emi nt er f ace
syst emzone
execut e cl ear syst emar p t abl e
execut e dhcp l ease- cl ear
execut e dhcp l ease- l i st
execut e i nt er f ace
Router Configuration (routegrp) r out er
execut e mr out er
execut e r out er
Spamfilter Configuration (spamgrp) spamf i l t er
System Configuration (sysgrp) syst emexcept accpr of i l e, admi n,
ar p- t abl e, aut oupdat e
f or t i anal yzer , i nt er f ace and zone.
execut e cf g
execut e dat e
execut e depl oy
execut e di sconnect - admi n- sessi on
execut e f act or yr eset
execut e ha
execut e pi ng
execut e pi ng6
execut e pi ng- opt i ons
execut e r eboot
execut e set - next - r eboot
execut e shut down
execut e ssh
execut e t el net
execut e t i me
execut e t r acer out e
VPN Configuration (vpngrp) vpn
execut e vpn
Webfilter Configuration (webgrp) webf i l t er
Table 1: Access profile control of access to CLI commands
30 01-30005-0015-20070803
Connecting to the CLI Using the CLI
Connecting to the CLI
You can use a direct console connection, SSH, Telnet or the web-based manager
to connect to the FortiGate CLI.
Connecting to the FortiGate console
Setting administrative access on an interface
Connecting to the FortiGate CLI using SSH
Connecting to the FortiGate CLI using Telnet
Connecting to the FortiGate CLI using the web-based manager
Connecting to the FortiGate console
Only the admin administrator or a regular administrator of the root domain can log
in by connecting to the console interface. You need:
a computer with an available communications port
a null modem cable, provided with your FortiGate unit, to connect the FortiGate
console port and a communications port on your computer
terminal emulation software such as HyperTerminal for Windows
To connect to the CLI
1 Connect the FortiGate console port to the available communications port on your
computer.
2 Make sure the FortiGate unit is powered on.
3 Start HyperTerminal, enter a name for the connection, and select OK.
4 Configure HyperTerminal to connect directly to the communications port on the
computer to which you have connected the FortiGate console port.
5 Select OK.
6 Select the following port settings and select OK.
7 Press Enter to connect to the FortiGate CLI.
A prompt similar to the following appears (shown for the FortiGate-300):
For t i Gat e- 300 l ogi n:
8 Type a valid administrator name and press Enter.
9 Type the password for this administrator and press Enter.
The following prompt appears:
Wel come!
You have connected to the FortiGate CLI, and you can enter CLI commands.
Note: The following procedure describes how to connect to the FortiGate CLI using
Windows HyperTerminal software. You can use any terminal emulation program.
Bits per second 9600 (115200 for the FortiGate-300)
Data bits 8
Parity None
Stop bits 1
Flow control None
Using the CLI Connecting to the CLI
01-30005-0015-20070803 31
Setting administrative access on an interface
To perform administrative functions through a FortiGate network interface, you
must enable the required types of administrative access on the interface to which
your management computer connects. Access to the CLI requires SSH or Telnet
access. If you want to use the web-based manager, you need HTTPS or HTTP
access.
To use the web-based manager to configure FortiGate interfaces for SSH or
Telnet access, see the FortiGate Administration Guide.
To use the CLI to configure SSH or Telnet access
1 Connect and log into the CLI using the FortiGate console port and your terminal
emulation software.
2 Use the following command to configure an interface to accept SSH connections:
set al l owaccess <access_t ypes>
end
Where is the name of the FortiGate interface to be
configured to allow administrative access and <access_t ypes>is a whitespace-
separated list of access types to enable.
For example, to configure the internal interface to accept HTTPS (web-based
manager), SSH and Telnet connections, enter:
edi t <name_st r >
set al l owaccess ht t ps ssh t el net
end
3 To confirm that you have configured SSH or Telnet access correctly, enter the
following command to view the access settings for the interface:
get syst emi nt er f ace <name_st r >
The CLI displays the settings, including al l owaccess, for the named interface.
Other access methods
The procedure above shows how to allow access only for Telnet or only for SSH.
If you want to allow both or any of the other management access types you must
include all the options you want to apply. For example to allow PING, HTTPS and
SSH access to an interface, the set portion of the command is set
al l owaccess pi ng ht t ps ssh.
Connecting to the FortiGate CLI using SSH
Secure Shell (SSH) provides strong secure authentication and secure
communications to the FortiGate CLI from your internal network or the internet.
Once the FortiGate unit is configured to accept SSH connections, you can run an
SSH client on your management computer and use this client to connect to the
FortiGate CLI.
Note: Remember to press Enter at the end of each line in the command example. Also,
type end and press Enter to commit the changes to the FortiGate configuration.
32 01-30005-0015-20070803
Connecting to the CLI Using the CLI
To connect to the CLI using SSH
1 Install and start an SSH client.
2 Connect to a FortiGate interface that is configured for SSH connections.
The FortiGate model name followed by a #is displayed.
Connecting to the FortiGate CLI using Telnet
You can use Telnet to connect to the FortiGate CLI from your internal network or
the Internet. Once the FortiGate unit is configured to accept Telnet connections,
you can run a Telnet client on your management computer and use this client to
connect to the FortiGate CLI.
To connect to the CLI using Telnet
1 Install and start a Telnet client.
2 Connect to a FortiGate interface that is configured for Telnet connections.
The following prompt appears:
Wel come!
Connecting to the FortiGate CLI using the web-based manager
The web-based manager also provides a CLI console that can be detached as a
separate window.
To connect to the CLI using the web-based manager
1 Connect to the web-based manager and log in.
For information about how to do this, see the FortiGate Administration Guide.
2 Go to System > Status.
3 If you do not see the CLI Console display, select Add Content >CLI Console.
4 Click in the CLI Console display to connect.
Note: A maximum of 5 SSH connections can be open at the same time.
!
Caution: Telnet is not a secure access method. SSH should be used to access the
FortiGate CLI from the Internet or any other unprotected network.
Note: A maximum of 5 Telnet connections can be open at the same time.
Using the CLI CLI objects
01-30005-0015-20070803 33
CLI objects
The FortiGate CLI is based on configurable objects. The top-level objects are the
basic components of FortiGate functionality.
There is a chapter in this manual for each of these top-level objects. Each of these
objects contains more specific lower level objects. For example, the firewall object
contains objects for addresses, address groups, policies and protection profiles.
CLI command branches
The FortiGate CLI consists of the following command branches:
config branch
get branch
show branch
execute branch
diagnose branch
Examples showing how to enter command sequences within each branch are
provided in the following sections. See also Example command sequences on
page 39.
Table 2: CLI objects
alertemail sends email to designated recipients when it detects log messages of a
defined severity level
antivirus scans services for viruses and grayware, optionally providing quarantine
of infected files
firewall controls connections between interfaces according to policies based on
IP addresses and type of service, applies protection profiles
gui controls preferences for the web-based manager CLI console and
topology viewer
imp2p controls user access to Internet Messaging and Person-to-Person
applications
ips intrusion prevention system
log configures logging
router moves packets from one network segment to another towards a network
destination, based on packet headers
spamfilter filters email based on MIME headers, a banned word list, lists of banned
email and ip addresses
switch configures secure switch features on the FortiGate-224B unit
system configures options related to the overall operation of the FortiGate unit,
such as interfaces, virtual domains, and administrators
user authenticates users to use firewall policies or VPNs
vpn provides Virtual Private Network access through the FortiGate unit
webfilter blocks or passes web traffic based on a banned word list, filter URLs, and
FortiGuard-Web category filtering
34 01-30005-0015-20070803
CLI command branches Using the CLI
config branch
The conf i g commands configure CLI objects, such as the firewall, the router,
antivirus protection, and so on. For more information about CLI objects, see CLI
objects on page 33.
Top-level objects are containers for more specific lower level objects that are each
in the form of a table. For example, the firewall object contains tables of
addresses, address groups, policies and protection profiles. You can add, delete
or edit the entries in the table. Table entries consist of keywords that you can set
to particular values.
To configure an object, you use the conf i g command to navigate to the objects
command shell. For example, to configure administrators, you enter the
command
conf i g syst emadmi n
The command prompt changes to show that you are now in the admin shell.
( admi n) #
This is a table shell. You can use any of the following commands:
delete Remove an entry from the FortiGate configuration. For example in the
conf i g syst emadmi n shell, type del et e newadmi n and press
Enter to delete the administrator account named newadmi n.
edit Add an entry to the FortiGate configuration or edit an existing entry. For
example in the conf i g syst emadmi n shell:
type edi t admi n and press Enter to edit the settings for the default
admin administrator account.
type edi t newadmi n and press Enter to create a new administrator
account with the name newadmi n and to edit the default settings for
the new administrator account.
end Save the changes you have made in the current shell and leave the
shell. Every conf i g command must be paired with an end command.
You return to the root FortiGate CLI prompt.
The end command is also used to save set command changes and
leave the shell.
get List the configuration. In a table shell, get lists the table members. In an
edit shell, get lists the keywords and their values.
move Change the position of an entry in an ordered table. For example in the
conf i g f i r ewal l pol i cy shell:
type move 3 af t er 1 and press Enter to move the policy in the third
position in the table to the second position in the table.
type move 3 bef or e 1 and press Enter to move the policy in the
third position in the table to the first position in the table.
purge Remove all entries configured in the current shell. For example in the
conf i g user l ocal shell:
type get to see the list of user names added to the FortiGate
configuration,
type pur ge and then y to confirm that you want to purge all the user
names,
type get again to confirm that no user names are displayed.
rename Rename a table entry. For example, in the conf i g syst emadmi n
shell, you could rename admin3 to fwadmin like this:
r ename admi n3 t o f wadmi n
show Show changes to the default configuration in the form of configuration
commands.
Using the CLI CLI command branches
01-30005-0015-20070803 35
If you enter the get command, you see a list of the entries in the table of
administrators. To add a new administrator, you enter the edit command with a
new administrator name:
edi t admi n_1
The FortiGate unit acknowledges the new table entry and changes the command
prompt to show that you are now editing the new entry:
new ent r y ' admi n_1' added
( admi n_1) #
From this prompt, you can use any of the following commands:
The conf i g branch is organized into configuration shells. You can complete and
save the configuration within each shell for that shell, or you can leave the shell
without saving the configuration. You can only use the configuration commands
for the shell that you are working in. To use the configuration commands for
another shell you must leave the shell you are working in and enter the other
shell.
abort Exit an edit shell without saving the configuration.
config In a few cases, there are subcommands that you access using a second
config command while editing a table entry. An example of this is the
command to add a secondary IP address to a network interface. See the
example To add two secondary IP addresses to the internal interface
on page 40.
end Save the changes you have made in the current shell and leave the
shell. Every conf i g command must be paired with an end command.
The end command is also used to save set command changes and
leave the shell.
get List the configuration. In a table shell, get lists the table members. In an
edit shell, get lists the keywords and their values.
next Save the changes you have made in the current shell and continue
working in the shell. For example if you want to add several new user
accounts enter the conf i g user l ocal shell.
Type edi t User 1 and press Enter.
Use the set commands to configure the values for the new user
account.
Type next to save the configuration for User1 without leaving the
conf i g user l ocal shell.
Continue using the edi t , set , and next commands to continue
adding user accounts.
type end and press Enter to save the last configuration and leave the
shell.
set Assign values. For example from the edi t admi n command shell,
typing set passwd newpass changes the password of the admin
administrator account to newpass.
Note: When using a set command to make changes to lists that contain
options separated by spaces, you need to retype the whole list including
all the options you want to apply and excluding all the options you want
to remove.
show Show changes to the default configuration in the form of configuration
commands.
unset Reset values to defaults. For example from the edi t admi n command
shell, typing unset passwor d resets the password of the admin
administrator account to the default of no password.
36 01-30005-0015-20070803
get branch
Use get to display system status information. For information about these
commands, see get on page 577.
You can also use get within a conf i g shell to display the settings for that shell,
or you can use get with a full path to display the settings for a particular object.
To use get from the root prompt, you must include a path to a shell. The root
prompt is the FortiGate host name followed by a #.
Example
The command get har dwar e st at us provides information about various
physical components of the FortiGate unit.
# get har dwar e st at us
Model name: For t i gat e- 300
ASI C ver si on: CP
SRAM: 64M
CPU: Pent i umI I I ( Copper mi ne)
RAM: 250 MB
Compact Fl ash: 122 MB / dev/ hda
Har d di sk: 38154 MB / dev/ hdc
Net wor k Car d chi pset : I nt el ( R) 8255x- based Et her net Adapt er
( r ev. 0x0009)
Example
When you type get in the conf i g syst emi nt er f ace shell, information about
all of the interfaces is displayed.
At the ( i nt er f ace) #prompt, type:
get
The screen displays:
== [ i nt er nal ]
name: i nt er nal mode: st at i c i p: 192. 168. 20. 200
255. 255. 255. 0 st at us: up net bi os- f or war d:
di sabl e t ype: physi cal i p6- addr ess: : : / 0 i p6- send- adv:
di sabl e
== [ ext er nal ]
name: ext er nal mode: st at i c i p: 192. 168. 100. 99
di sabl e
. . .
Note: Interface names vary for different FortiGate models. The following examples use the
interface names for a FortiGate-300 unit.
01-30005-0015-20070803 37
Example
When you type get in the i nt er nal interface shell, the configuration values for
the internal interface are displayed.
edi t i nt er nal
At the ( i nt er nal ) #prompt, type:
get
name : i nt er nal
al l owaccess : pi ng ht t ps ssh
ar pf or wor d : enabl e
cl i _conn_st at us : 0
det ect ser ver : ( nul l )
gwdet ect : di sabl e
i p : 192. 168. 20. 200 255. 255. 255. 0
and so on.
Example
You are working in the conf i g syst emgl obal shell and want to see
information about the FortiGate interfaces.
At the (global)#prompt, type:
get syst emi nt er f ace
== [ i nt er nal ]
name: i nt er nal mode: st at i c i p: 192. 168. 20. 200
di sabl e
== [ ext er nal ]
name: ext er nal mode: st at i c i p: 192. 168. 100. 99
di sabl e
. . .
Example
You want to confirm the IP address and netmask of the internal interface from the
root prompt.
At the #prompt, type:
get syst emi nt er f ace i nt er nal
38 01-30005-0015-20070803
name : i nt er nal
al l owaccess : pi ng ht t ps ssh
ar pf or wor d : enabl e
cl i _conn_st at us : 0
det ect ser ver : ( nul l )
gwdet ect : di sabl e
i p : 192. 168. 20. 200 255. 255. 255. 0
i p6- addr ess : : : / 0
i p6- def aul t - l i f e : 1800
. . .
show branch
Use show to display the FortiGate unit configuration. By default, only changes to
the default configuration are displayed. Use show f ul l - conf i gur at i on to
display the complete configuration.
You can use show within a conf i g shell to display the configuration of that shell,
or you can use show with a full path to display the configuration of the specified
object.
To display the configuration of all objects, you can use show from the root prompt.
The root prompt is the FortiGate host or model name followed by a #.
Example
When you type show and press Enter within the i nt er nal interface shell, the
changes to the default internal interface configuration are displayed.
At the ( i nt er nal ) #prompt, type:
show
edi t i nt er nal
set al l owaccess ssh pi ng ht t ps
set i p 192. 168. 20. 200 255. 255. 255. 0
next
end
Example
You are working in the i nt er nal interface shell and want to see the syst em
gl obal configuration. At the ( i nt er nal ) #prompt, type:
show syst emgl obal
01-30005-0015-20070803 39
set admi nt i meout 5
set aut ht i meout 15
set f ai l t i me 5
set host name ' For t i gat e- 300'
set i nt er val 5
set l cdpi n 123456
set nt pser ver ' 132. 246. 168. 148'
set synci nt er val 60
set t i mezone 04
end
execute branch
Use execut e to run static commands, to reset the FortiGate unit to factory
defaults, to back up or restore FortiGate configuration files. The execute
commands are available only from the root prompt.
The root prompt is the FortiGate host or model name followed by a #.
Example
At the root prompt, type:
execut e r eboot
and press Enter to restart the FortiGate unit.
diagnose branch
Commands in the di agnose branch are used for debugging the operation of the
FortiGate unit and to set parameters for displaying different levels of diagnostic
information. The di agnose commands are not documented in this CLI Reference
Guide.
Example command sequences
To configure the primary and secondary DNS server addresses
1 Starting at the root prompt, type:
conf i g syst emdns
and press Enter. The prompt changes to ( dns) #.
2 At the ( dns) #prompt, type ?
!
Caution: Diagnose commands are intended for advanced users only. Contact Fortinet
technical support before using these commands.
Note: Interface names vary for different FortiGate models. The following examples use the
interface names for a FortiGate_300 unit.
40 01-30005-0015-20070803
The following options are displayed.
set
unset
get
show
abor t
end
3 Type set ?
pr i mar y
secondar y
domai n
dns- cache- l i mi t
cache- not - f ound- r esponses
4 To set the primary DNS server address to 172. 16. 100. 100, type:
set pr i mar y 172. 16. 100. 100
and press Enter.
5 To set the secondary DNS server address to 207. 104. 200. 1, type:
set secondar y 207. 104. 200. 1
and press Enter.
6 To restore the primary DNS server address to the default address, type unset
pr i mar y and press Enter.
7 To restore the secondary DNS server address to the default address, type unset
secondar y and press Enter.
8 If you want to leave the conf i g syst emdns shell without saving your changes,
type abor t and press Enter.
9 To save your changes and exit the dns sub-shell, type end and press Enter.
10 To confirm your changes have taken effect after leaving the dns sub-shell, type
get syst emdns and press Enter.
To add two secondary IP addresses to the internal interface
1 Starting at the root prompt, type:
and press Enter. The prompt changes to (interface)#.
2 At the ( i nt er f ace) #prompt, type ?
edi t
del et e
pur ge
r ename
get
show
end
01-30005-0015-20070803 41
3 At the ( i nt er f ace) #prompt, type:
edi t i nt er nal
and press Enter. The prompt changes to ( i nt er nal ) #.
4 At the ( i nt er nal ) #prompt, type ?
conf i g
set
unset
get
show
next
abor t
end
5 At the ( i nt er nal ) #prompt, type:
conf i g secondar yi p
and press Enter. The prompt changes to ( secondar yi p) #.
6 At the ( secondar yi p) #prompt, type ?
edi t
del et e
pur ge
r ename
get
show
end
7 To add a secondary IP address with the ID number 0, type:
edi t 0
and press Enter. The prompt changes to ( 0) #.
8 At the ( 0) #prompt, type ?
set
unset
get
show
next
abor t
end
9 Type set ?
al l owaccess
det ect ser ver
gwdet ect
i p
42 01-30005-0015-20070803
10 To set the secondary IP address with the ID number 0 to 192. 168. 100. 100 and
the netmask to 255. 255. 255. 0, type:
set i p 192. 168. 100. 100 255. 255. 255. 0
and press Enter.
11 To add another secondary IP address to the internal interface, type next and
press Enter.
The prompt changes to ( secondar yi p) #.
12 To add a secondary IP address with the ID number 1, type:
edi t 1
and press Enter. The prompt changes to ( 1) #.
13 To set the secondary IP address with the ID number 1 to 192. 168. 100. 90 and
the netmask to 255. 255. 255. 0, type:
set i p 192. 168. 100. 90 255. 255. 255. 0
and press Enter.
14 To restore the secondary IP address with the ID number 1 to the default, type
unset i p and press Enter.
15 If you want to leave the secondary IP address 1 shell without saving your
changes, type abor t and press Enter.
16 To save your changes and exit the secondary IP address 1 shell, type end and
press Enter.
The prompt changes to (internal)#.
17 To delete the secondary IP address with the ID number 1, type del et e 1 and
press Enter.
18 To save your changes and exit the i nt er nal interface shell, type end and press
Enter.
19 To confirm your changes have taken effect after using the end command, type
get syst emi nt er f ace i nt er nal and press Enter.
Using the CLI CLI basics
01-30005-0015-20070803 43
CLI basics
This section includes:
Command help
Command completion
Recalling commands
Editing commands
Line continuation
Command abbreviation
Environment variables
Encrypted password support
Entering spaces in strings
Entering quotation marks in strings
Entering a question mark (?) in a string
International characters
Special characters
IP address formats
Editing the configuration file
Setting screen paging
Changing the baud rate
Using Perl regular expressions
Command help
You can press the question mark (?) key to display command help.
Press the question mark (?) key at the command prompt to display a list of the
commands available and a description of each command.
Type a command followed by a space and press the question mark (?) key to
display a list of the options available for that command and a description of
each option.
Type a command followed by an option and press the question mark (?) key to
display a list of additional options available for that command option
combination and a description of each option.
Command completion
You can use the tab key or the question mark (?) key to complete commands.
You can press the tab key at any prompt to scroll through the options available
for that prompt.
You can type the first characters of any command and press the tab key or the
question mark (?) key to complete the command or to scroll through the
options that are available at the current cursor position.
After completing the first word of a command, you can press the space bar and
then the tab key to scroll through the options available at the current cursor
position.
44 01-30005-0015-20070803
CLI basics Using the CLI
Recalling commands
You can recall previously entered commands by using the Up and Down arrow
keys to scroll through commands you have entered.
Editing commands
Use the Left and Right arrow keys to move the cursor back and forth in a recalled
command. You can also use the Backspace and Delete keys and the control keys
listed in Table 3 to edit the command.
Line continuation
To break a long command over multiple lines, use a \ at the end of each line.
Command abbreviation
You can abbreviate commands and command options to the smallest number of
non-ambiguous characters. For example, the command get syst emst at us
can be abbreviated to g sy st .
Environment variables
The FortiGate CLI supports the following environment variables.
Variable names are case sensitive. In the following example, the unit hostname is
set to the serial number.
set host name $Ser i al Num
end
Table 3: Control keys for editing commands
Function Key combination
Beginning of line CTRL+A
End of line CTRL+E
Back one character CTRL+B
Forward one character CTRL+F
Delete current character CTRL+D
Previous command CTRL+P
Next command CTRL+N
Abort the command CTRL+C
If used at the root prompt, exit the CLI CTRL+C
$USERFROM The management access type (SSH, Telnet and so on) and the IP
address of the logged in administrator.
$USERNAME The user account name of the logged in administrator.
$SerialNum The serial number of the FortiGate unit.
01-30005-0015-20070803 45
Encrypted password support
After you enter a clear text password using the CLI, the FortiGate unit encrypts
the password and stores it in the configuration file with the prefix ENC. For
example:
show syst emadmi n user 1
lists the user1 administrator password as follows:
edi t " user 1"
set accpr of i l e " pr of _admi n"
set passwor d ENC XXNFKpSV3oI Vk
next
end
It is also possible to enter an already encrypted password. For example, type:
and press Enter.
Type:
edi t user 1
and press Enter.
Type:
set passwor d ENC XXNFKpSV3oI Vk
and press Enter.
Type:
end
and press Enter.
Entering spaces in strings
When a string value contains a space, do one of the following:
Enclose the string in quotation marks, " Secur i t y Admi ni st r at or " , for
example.
Enclose the string in single quotes, ' Secur i t y Admi ni st r at or ' , for
example.
Use a backslash (\) preceding the space, Secur i t y\ Admi ni st r at or , for
example.
Entering quotation marks in strings
If you want to include a quotation mark, single quote or apostrophe in a string, you
must precede the character with a backslash character. To include a backslash,
enter two backslashes.
Entering a question mark (?) in a string
If you want to include a question mark (?) in a string, you must precede the
question mark with CTRL-V. Entering a question mark without first entering
CTRL-V causes the CLI to display possible command completions, terminating
the string.
46 01-30005-0015-20070803
International characters
The CLI supports international characters in strings.The web-based manager
dashboard CLI Console applet supports the appropriate character set for the
current administration language. If you want to enter strings that contain Asian
characters, configure the CLI Console to use the external command input box.
International character support with external applications such as SSH clients
depends on the capabilities and settings of the application.
Special characters
The characters <, >, (, ), #, , and are not permitted in most CLI fields. The
exceptions are:
passwords
r epl acemsg buf f er
f i r ewal l pol i cy comment s
i ps cust omsi gnat ur e
ant i vi r us f i l epat t er n
ant i vi r us exempt f i l epat t er n
webf i l t er bwor d
spamf i l t er bwor d pat t er n
syst emi nt er f ace user name (PPPoE mode)
syst emmodemphone numbers or account user names
f i r ewal l pr of i l e comment
spamf i l t er mheader f i el dbody
spamf i l t er mheader f i el dbody
spamf i l t er emai l bwl emai l _pat t er n
r out er i nf o bgp regular expressions
r out er aspat h- l i st r ul e regular expressions
IP address formats
You can enter an IP address and subnet using either dotted decimal or slash-bit
format. For example you can type either:
set i p 192. 168. 1. 1 255. 255. 255. 0
or
set i p 192. 168. 1. 1/ 24
The IP address is displayed in the configuration file in dotted decimal format.
Editing the configuration file
You can change the FortiGate configuration by backing up the configuration file to
a TFTP server. Then you can make changes to the file and restore it to the
FortiGate unit.
1 Use the execut e backup conf i g command to back up the configuration file to
a TFTP server.
01-30005-0015-20070803 47
2 Edit the configuration file using a text editor.
Related commands are listed together in the configuration file. For instance, all
the system commands are grouped together, all the antivirus commands are
grouped together and so on. You can edit the configuration by adding, changing or
deleting the CLI commands in the configuration file.
The first line of the configuration file contains information about the firmware
version and FortiGate model. Do not edit this line. If you change this information
the FortiGate unit will reject the configuration file when you attempt to restore it.
3 Use the execut e r est or e conf i g command to copy the edited configuration
file back to the FortiGate unit.
The FortiGate unit receives the configuration file and checks to make sure the
firmware version and model information is correct. If it is, the FortiGate unit loads
the configuration file and checks each command for errors. If the FortiGate unit
finds an error, an error message is displayed after the command and the
command is rejected. Then the FortiGate unit restarts and loads the new
configuration.
Setting screen paging
Using the conf i g syst emconsol e command, you can configure the display to
pause when the screen is full. This is convenient for viewing the lengthy output of
a command such as get syst emgl obal .
When the display pauses, the bottom line of the console displays - - Mor e- - . You
can then do one of the following:
Press the spacebar to continue.
Press Q to end the display. One more line of output is displayed, followed by
the shell prompt.
To set paged output, enter the following command:
conf i g syst emconsol e
set out put mor e
end
Changing the baud rate
Using set baudr at e in the conf i g syst emconsol e shell, you can change
the default console connection baud rate.
Using Perl regular expressions
Some FortiGate features, such as spam filtering and web content filtering can use
either wildcards or Perl regular expressions.
See http://perldoc.perl.org/perlretut.html for detailed information about using Perl
regular expressions.
Note: Changing the default baud rate is available for FortiGate units with BIOS 3.03 and
higher and FortiOS version 2.50 and higher.
48 01-30005-0015-20070803
Some differences between regular expression and wildcard
pattern matching
In Perl regular expressions, . character refers to any single character. It is similar
to the ? character in wildcard pattern matching. As a result:
f or t i net . comnot only matches f or t i net . combut also matches
f or t i net acom, f or t i net bcom, f or t i net ccomand so on.
To match a special character such as '.' and *, regular expressions use the \
escape character. For example:
To match f or t i net . com, the regular expression should be
f or t i net \ . com.
In Perl regular expressions, * means match 0 or more times of the character
before it, not 0 or more times of any character. For example:
f or t i *\ . commatches f or t i i i i . combut does not match f or t i net . com.
To match any character 0 or more times, use .* where . means any character
and the * means 0 or more times. For example:
the wildcard match pattern f or t i *. comis equivalent to the regular
expression f or t i . *\ . com.
Word boundary
In Perl regular expressions, the pattern does not have an implicit word boundary.
For example, the regular expression test not only matches the word test but
also matches any word that contains the word test such as atest, mytest,
testimony, atestb. The notation \b specifies the word boundary. To match
exactly the word test, the expression should be \ bt est \ b.
Case sensitivity
Regular expression pattern matching is case sensitive in the Web and Spam
filters. To make a word or phrase case insensitive, use the regular expression / i .
For example, / bad l anguage/ i will block all instances of bad language
regardless of case.
Table 4: Perl regular expression examples
Expression Matches
abc abc (that exact character sequence, but anywhere in the string)
âbc abc at the beginning of the string
abc$ abc at the end of the string
a|b either of a and b
âbc|abc$ the string abc at the beginning or at the end of the string
ab{2,4}c an a followed by two, three or four b's followed by a c
ab{2,}c an a followed by at least two b's followed by a c
ab*c an a followed by any number (zero or more) of b's followed by a c
ab+c an a followed by one or more b's followed by a c
ab?c an a followed by an optional b followed by a c; that is, either abc or ac
a.c an a followed by any single character (not newline) followed by a c
01-30005-0015-20070803 49
a\.c a.c exactly
[abc] any one of a, b and c
[Aa]bc either of Abc and abc
[abc]+ any (nonempty) string of a's, b's and c's (such as a, abba, acbabcacaa)
[âbc]+ any (nonempty) string which does not contain any of a, b and c (such as
defg)
\d\d any two decimal digits, such as 42; same as \d{2}
/i makes the pattern case insensitive. For example, / bad l anguage/ i
blocks any instance of bad language regardless of case.
\w+ a "word": a nonempty sequence of alphanumeric characters and low
lines (underscores), such as foo and 12bar8 and foo_1
100\s*mk the strings 100 and mk optionally separated by any amount of white
space (spaces, tabs, newlines)
abc\b abc when followed by a word boundary (e.g. in abc! but not in abcd)
perl\B perl when not followed by a word boundary (e.g. in perlert but not in perl
stuff)
\x tells the regular expression parser to ignore white space that is neither
backslashed nor within a character class. You can use this to break up
your regular expression into (slightly) more readable parts.
Table 4: Perl regular expression examples
50 01-30005-0015-20070803
Working with virtual domains Enabling virtual domain configuration
01-30005-0015-20070803 51
Working with virtual domains
By default, the FortiGate unit has one virtual domain (root) and one administrator (admin) with
unrestricted access to the system configuration. If you enable virtual domain configuration, the super
admin account can also:
Use the vdomcommand to create and configure additional virtual domains.
Use the gl obal command to create and assign administrators to each virtual domain.
Use the gl obal command to configure features that apply to all virtual domains.
This section contains the following topics:
Enabling virtual domain configuration
The administrators with the super_admin profile can enable virtual domain configuration through either
the web-based manager or the CLI. In the CLI, use the following command:
set vdom- admi n enabl e
end
Log off and then log on again with a super_admin admin account. By default, there is no password for
the default admin account.
Accessing commands in virtual domain configuration
When you log in as admin with virtual domain configuration enabled, you have only four top-level
commands:
Enabling virtual domain configuration
Accessing commands in virtual domain configuration
Creating and configuring VDOMs
Configuring inter-VDOM routing
Changing the management VDOM
Creating VDOM administrators
Troubleshooting ARP traffic on VDOMs
global
vdom
conf i g gl obal Enter conf i g gl obal to access global commands.
In the gl obal shell, you can execute commands that affect all virtual domains, such as
conf i g syst emaut oupdat e.
For a list of the global commands, see global on page 57.
conf i g vdom Enter conf i g vdomto access VDOM-specific commands.
In the vdomshell, use the edi t <vdom_name>command to create a new VDOM or to
edit the configuration of an existing VDOM.
In the <vdom_name>shell, you can execute commands to configure options that apply
only within the VDOM, such as conf i g f i r ewal l pol i cy.
For a list of VDOM-specific commands, see vdom on page 60.
When you have finished, enter next to edit another vdom, or end.
52 01-30005-0015-20070803
Creating and configuring VDOMs Working with virtual domains
Creating and configuring VDOMs
When virtual domain configuration is enabled, admin has full access to the global FortiGate unit
configuration and to the configuration of each VDOM. All of the commands described in this Reference
are available to admin, but they are accessed through a special top-level command shell.
Creating a VDOM
You create a new VDOM using the conf i g vdomcommand. For example, to create a new VDOM
called vdomain2, you enter the following:
conf i g vdom
edi t vdomai n2
end
This creates a new VDOM operating in NAT/Route mode. You can have up to 10 VDOMs on your
FortiGate unit by default.
For this VDOM to be useful, you need to assign interfaces or VLAN subinterfaces to it.
Assigning interfaces to a VDOM
By default, all interfaces belong to the root domain. You can reassign an interface or VLAN
subinterface to another VDOM if the interface is not already used in a VDOM-specific configuration
such as a firewall policy. Interfaces are part of the global configuration of the FortiGate unit, so only the
admin account can configure them.
For example, to assign port3 and port4 to vdomain2, log on as admin and enter the following
commands:
conf i g gl obal
edi t por t 3
set vdomvdomai n2
next
edi t por t 4
set vdomvdomai n2
end
end
Setting VDOM operating mode
When you create a VDOM, its default operating mode is NAT/Route. You can change the operating
mode of each VDOM independently.
Changing to Transparent mode
When you change the operating mode of a VDOM from NAT/Route to Transparent mode, you must
specify the management IP address and the default gateway IP address. The following example
shows how to change vdomain2 to Transparent mode. The management IP address is
192.168.10.100, and the default gateway is 192.168.10.1:
conf i g vdom
edi t vdomai n3
get syst emst at us System status. See vdom-link on page 403.
exi t Log off.
Working with virtual domains Configuring inter-VDOM routing
01-30005-0015-20070803 53
conf i g syst emset t i ngs
set opmode t r anspar ent
set managei p 192. 168. 10. 100 255. 255. 255. 0
set gat eway 192. 168. 10. 1
end
For more information, see system settings on page 393.
Changing back to NAT/Route mode
If you change a Transparent mode VDOM back to NAT/Route mode, you must specify which interface
you will use for administrative access and the IP address for that interface. This ensures that
administrative access is configured on the interface. You must also specify the default gateway IP
address and the interface that connects to the gateway. For example,
conf i g vdom
edi t vdomai n3
set opmode nat
end
edi t por t 1
set i p 192. 168. 10. 100 255. 255. 255. 0
end
For more information, see system settings on page 393.
Configuring inter-VDOM routing
By default, VDOMs are independent of each other and to communicate they need to use physical
interfaces that are externally connected. By using the vdom- l i nk command that was added in
FortiOS v3.0, this connection can be moved inside the FortiGate unit, freeing up the physical
interfaces. This feature also allows you to determine the level of inter-VDOM routing you want - only 2
VDOMs inter-connected, or interconnect all VDOMs. The vdom- l i nk command creates virtual
interfaces, so you have access to all the security available to physical interface connections. These
internal interfaces have the added bonus of being faster the physical interfaces unless the CPU load is
very heavy. As of FortiOS v3.0 MR3, BGP is supported over inter-VDOM links.
In this example you already have configured two VDOMs called v1 and v2. You want to set up a link
between them. The following command creates the VDOM link called v12_link. Once you have the link
in place, you need to bind the two ends of the link to the VDOMs it will be connecting. Then you are
free to apply firewall policies or other security measures. t.
conf i g gl obal
conf i g syst emvdom- l i nk
edi t v12_l i nk
end
edi t v12_l i nk0
set vdomv1
next
edi t v12_l i nk1
set vdomv2
next
end
54 01-30005-0015-20070803
Changing the management VDOM Working with virtual domains
To remove the vdom-link, delete the vdom-link. You will not be able to delete the ends of the vdom-link
by themselves. To delete the above set up, enter:
conf i g gl obal
del et e v12_l i nk
end
Before inter-VDOM routing, VDOMs were completely separate entities. Now, many new configurations
are available such as a service provider configuration (a number of VDOMS that go through one main
VDOM to access the internet) or a mesh configuration (where some or all VDOMs are connected to
some or all other VDOMs). These configurations are discussed in-depth in the FortiGate VLANs and
VDOMs Guide.
Changing the management VDOM
All management traffic leaves the FortiGate unit through the management VDOM. Management traffic
includes all external logging, remote management, and other Fortinet services. By default the
management VDOM is root. You can change this to another VDOM so that the traffic will leave your
FortiGate unit over the new VDOM.
You cannot change the management VDOM if any administrators are using RADIUS authentication.
If you want to change the management VDOM to vdomain2, you enter:
conf i g gl obal
set management - vdomvdomai n2
end
Creating VDOM administrators
The super_admin admin accounts can create regular administrators and assign them to VDOMs. The
syst emadmi n command, when accessed by admin, includes a VDOM assignment.
For example, to create an administrator, admin2, for VDOM vdomain2 with the default profile
prof_admin, you enter:
conf i g gl obal
edi t admi n2
set accpr of i l e pr of _admi n
set passwor d har dt oguess
set vdomvdomai n2
end
Note: When you are naming VDOM links you are limited to 8 characters for the base name. In the
example below the link name v12_link that is used is correct, but a link name of v12_verylongname is too
long.
Note: In an HA setup with virtual clusters, inter-VDOM routing must be entirely within one cluster. You
cannot create links between virtual clusters, and you cannot move a VDOM that is linked into another
virtual cluster. In HA mode, with multiple vclusters when you create the vdom-link in system vdom-link
there is an option to set which vcluster the link will be in.
Working with virtual domains Troubleshooting ARP traffic on VDOMs
01-30005-0015-20070803 55
The admin2 administrator account can only access the vdomain2 VDOM and can connect only
through an interface that belongs to that VDOM. The VDOM administrator can access only VDOM-
specific commands, not global commands.
Troubleshooting ARP traffic on VDOMs
Address Resolution Protocol (ARP) traffic is vital to communication on a network and is enabled on
FortiGate interfaces by default. Normally you want ARP packets to pass through the FortiGate unit,
especially if it is sitting between a client and a server or between a client and a router.
Duplicate ARP packets
ARP traffic can cause problems, especially in Transparent mode where ARP packets arriving on one
interface are sent to all other interfaces, including VLAN subinterfaces. Some Layer 2 switches
become unstable when they detect the same MAC address originating on more than one switch
interface or from more than one VLAN. This instability can occur if the Layer 2 switch does not
maintain separate MAC address tables for each VLAN. Unstable switches may reset causing network
traffic to slow down.
Multiple VDOMs solution
One solution is to configure multiple VDOMs on the FortiGate unit, one for each VLAN. This means
one inbound and one outbound VLAN interface in each virtual domain. ARP packets are not forwarded
between VDOMs.
By default, physical interfaces are in the root domain. Do not configure any of your VLANs in the root
domain.
As a result of this VDOM configuration, the switches do not receive multiple ARP packets with the
same source MAC but different VLAN IDs, and the instability does not occur.
Forward-domain solution
You may run into problems using the multiple VDOMs solution. It is possible that you have more
VLANs than licensed VDOMs, not enough physical interfaces or your configuration may work better by
grouping some VLANs together. In these situations the separate VDOMs solution may not work for
you.
In these cases, the solution is to use the forward-domain <collision_group_number>command. This
command tags VLAN traffic as belonging to a particular forward-domain collision group, and only
VLANs tagged as part of that collision group receive that traffic. By default ports and VLANs are part of
forward-domain collision group 0. For more information, see the FortiGate VLANs and VDOMs Guide.
There are many benefits for this solution from reduced administration, to using fewer physical
interfaces to being able to allowing you more flexible network solutions.
In the following example, forward-domain collision group 340 includes VLAN 340 traffic on Port1 and
untagged traffic on Port2. Forward-domain collision group 341 includes VLAN 341 traffic on Port1 and
untagged traffic on Port3. All other ports are part of forward-domain collision group 0 by default.
These are the CLI commands to accomplish this setup.
edi t por t 1
next
edi t " por t 2"
set f or war d_domai n 340
next
56 01-30005-0015-20070803
Troubleshooting ARP traffic on VDOMs Working with virtual domains
edi t por t 3
next
edi t " por t 1- 340"
set i nt er f ace " por t 1"
set vl ani d 340
next
edi t " por t 1- 341"
set i nt er f ace " por t 1"
set vl ani d 341
next
end
There is a more detailed discussion of this issue in the Asymmetric Routing and Other FortiGate Layer-
2 Installation Issues technical note.
Working with virtual domains global
01-30005-0015-20070803 57
global
From the super_admin accounts, use this command to configure features that apply to all virtual
domains. Virtual domain configuration (vdom-admin) must be enabled. See system global on
page 326.
Command syntax pattern
This command syntax shows how you access the commands within config global. For information on
these commands, refer to the relevant sections in this Reference.
conf i g gl obal
conf i g ant i vi r us . . .
conf i g f i r ewal l ser vi ce
conf i g gui consol e
conf i g gui t opol ogy
conf i g i mp2p . . .
conf i g i ps . . .
conf i g l og f or t i anal yzer set t i ng
conf i g l og r epor t def i ni t i on
conf i g l og r epor t f i l t er
conf i g l og r epor t out put
conf i g l og r epor t per i od
conf i g l og r epor t schedul e
conf i g l og r epor t sel ect i on
conf i g l og sysl ogd set t i ng
conf i g l og webt r ends set t i ng
conf i g spamf i l t er . . .
conf i g syst emaccpr of i l e
conf i g syst emal er t emai l
conf i g syst emaut o- i nst al l
conf i g syst emaut oupdat e cl i ent over r i de
conf i g syst emaut oupdat e i ps
conf i g syst emaut oupdat e over r i de
conf i g syst emaut oupdat e push- updat e
conf i g syst emaut oupdat e schedul e
conf i g syst emaut oupdat e t unnel i ng
conf i g syst embug- r epor t
conf i g syst emdns
conf i g syst emf m
conf i g syst emf or t i anal yzer , f or t i anal yzer 2, f or t i anal yzer 3
conf i g syst emha
conf i g syst emr epl acemsg admi n
conf i g syst emr epl acemsg al er t mai l
conf i g syst emr epl acemsg aut h
conf i g syst emr epl acemsg f or t i guar d- wf
conf i g syst emr epl acemsg f t p
58 01-30005-0015-20070803
global Working with virtual domains
conf i g syst emr epl acemsg ht t p
conf i g syst emr epl acemsg i m
conf i g syst emr epl acemsg mai l
conf i g syst emr epl acemsg nnt p
conf i g syst emr epl acemsg spam
conf i g syst emr epl acemsg ssl vpn
conf i g syst emsessi on- hel per
conf i g syst emsnmp communi t y
conf i g syst emsnmp sysi nf o
conf i g vpn cer t i f i cat e ca
conf i g vpn cer t i f i cat e cr l
conf i g vpn cer t i f i cat e l ocal
conf i g vpn cer t i f i cat e r emot e
conf i g webf i l t er f or t i guar d
execut e backup
execut e bat ch
execut e cent r al - mgmt
execut e cf g r el oad
execut e cf g save
execut e cl i
execut e dat e
execut e depl oy
execut e f sae r ef r esh
execut e ha di sconnect
execut e ha manage
execut e ha synchr oni ze
execut e l og del et e- al l
execut e l og del et e- f i l t er ed
execut e l og del et e- r ol l ed
execut e l og di spl ay
execut e l og f i l t er
execut e l og l i st
execut e l og r ol l
execut e l og st at s di spl ay
execut e l og st at s r eset
execut e r eboot
execut e r est or e
execut e shut down
execut e t i me
execut e usb- di sk
execut e vpn cer t i f i cat e l ocal
execut e vpn ssl vpn del - t unnel
get f i r ewal l ser vi ce pr edef i ned . . .
end
Working with virtual domains global
01-30005-0015-20070803 59
Command history
Related topics
vdom
FortiOS v3.0 New.
FortiOS v3.0 MR1 Added vdom-link, vpn, webfilter, execute backup, batch, dhcp lease-client, dhcp lease-
list, fsae refresh, restore, telnet, and traceroute.
FortiOS v3.0 MR5 Added config firewall service, gui console, system console, system fortiguard, system
replacemsg admin/alertemail/auth/nntp, vpn certificate crl/local/remote, execute
central-mgmt, execute cfg ..., execute update-ips, and execute update-now.
60 01-30005-0015-20070803
vdom Working with virtual domains
vdom
From the super admin account, use this command to add and configure virtual domains. The number
of virtual domains you can add is dependent on the FortiGate model. Virtual domain configuration
(vdom-admin) must be enabled. See system global on page 326.
Once you add a virtual domain you can configure it by adding zones, firewall policies, routing settings,
and VPN settings. You can also move physical interfaces from the root virtual domain to other virtual
domains and move VLAN subinterfaces from one virtual domain to another.
By default all physical interfaces are in the root virtual domain. You cannot remove an interface from a
virtual domain if the interface is part of any of the following configurations:
routing
proxy arp
DHCP server
zone
firewall policy
IP pool
redundant pair
link aggregate (802.3ad) group
Delete these items or modify them to remove the interface first.
You cannot delete the default root virtual domain and you cannot delete a virtual domain that is used
for system management.
This command syntax shows how you access the commands within config global. Refer to the relevant
sections in this Reference for information on these commands.
conf i g vdom
edi t <vdom_name>
conf i g ant i vi r us
conf i g f i r ewal l addr ess, addr ess6
conf i g f i r ewal l addr gr p, addr gr p6
conf i g f i r ewal l dnst r ansl at i on
conf i g f i r ewal l i pmacbi ndi ng set t i ng
conf i g f i r ewal l i pmacbi ndi ng t abl e
conf i g f i r ewal l i ppool
conf i g f i r ewal l schedul e onet i me
conf i g f i r ewal l schedul e r ecur r i ng
conf i g f i r ewal l ser vi ce cust om
conf i g f i r ewal l ser vi ce gr oup
conf i g f i r ewal l vi p
conf i g l og {di sk | f or t i anal yzer | memor y | sysl ogd | webt r ends |
f or t i guar d} f i l t er
conf i g l og memor y set t i ng
conf i g l og t r af f i cf i l t er
conf i g r out er . . .
Working with virtual domains vdom
01-30005-0015-20070803 61
conf i g syst emar p- t abl e
conf i g syst emdhcp r eser ved- addr ess
conf i g syst emgr e- t unnel
conf i g syst empr oxy- ar p
conf i g syst emsessi on- t t l
conf i g syst emzone
conf i g user adgr p
conf i g user f sae
conf i g user gr oup
conf i g user l dap
conf i g user l ocal
conf i g user peer
conf i g user peer gr p
conf i g vpn . . .
execut e backup
execut e dat e
execut e depl oy
execut e ha di sconnect
execut e ha manage
execut e ha synchr oni ze
execut e l og del et e- r ol l ed
execut e l og f i l t er
execut e l og l i st
execut e pi ng
execut e pi ng- opt i ons
execut e pi ng6
execut e r eboot
execut e r est or e
execut e r out er cl ear bgp
execut e r out er cl ear ospf pr ocess
execut e r out er r est ar t
execut e usb- di sk
execut e vpn ssl vpn del - t unnel
next
62 01-30005-0015-20070803
vdom Working with virtual domains
edi t <anot her _vdom>
conf i g . . .
execut e . . .
end
end
Example
This example shows how to add a virtual domain called Test1.
conf i g syst emvdom
edi t Test 1
end
Command history
Related topics
global
Variable Description Default
edi t <vdom_name> Enter a new name to create a new VDOM. Enter an existing
VDOM name to configure that VDOM.
The VDOM you enter becomes the current VDOM.
A VDOM cannot have the same name as a VLAN.
A VDOM name cannot exceed 11 characters in length.
Note: Use conf i g syst emset t i ngs set opmode {nat | t r anspar ent } to set the operation
mode for this VDOM to nat (NAT/Route) or transparent.
FortiOS v3.0 New.
FortiOS v3.0 MR1 Added syst emadmi n, i nt er f ace, i pv6- t unnel commands.
Added bat ch, dat e, r eboot , execut e r out er cl ear ospf pr ocess
commands.
Removed l og f or t i anal yzer , l og sysl ogd, l og webt r ends, r out er
gr acef ul - r est ar t commands.
FortiOS v3.0 MR1 Added syst emset t i ng mul t i cast - f or war d and mul t i cast - t t l - not change.
FortiOS v3.0 MR5 Removed config alertemail, and execute batch.
Added config gui, system arp-table, system proxy-arp, all of system settings.
alertemail
01-30005-0015-20070803 63
alertemail
Use al er t emai l commands to configure the FortiGate unit to monitor logs for log messages with
certain severity levels. If the message appears in the logs, the FortiGate unit sends an email to a
predefined recipient(s) of the log message encountered. Alert emails provide immediate notification of
issues occurring on the FortiGate unit, such as system failures or network attacks.
By default, the al er t emai l commands do not appear if no SMTP server is configured. An SMTP
server is configured using the syst emal er t emai l commands. See system alertemail on page 298 for
more information.
When configuring an alert email, you must configure at least one DNS server. The FortiGate unit uses
the SMTP server name to connect to the mail server and must look up this name on your DNS server.
See dns on page 317 for more information about configuring DNS servers.
This chapter contains the following section:
setting
64 01-30005-0015-20070803
setting alertemail
setting
Use this command to configure the FortiGate unit to send an alert email to up to three recipients. This
command can also be configured to send an alert email a certain number of days before the FDS
license expires and/or when the disk usage exceeds a certain threshold amount. You need to configure
an SMTP server before configuring alert email settings. See system alertemail on page 298 for more
information.
conf i g al er t emai l set t i ng
set user name <user - name- st r >
set mai l t o1 <emai l - addr ess- st r >
set f i l t er - mode <cat egor y> <t hr eshol d>
set emai l - i nt er val <mi nut es- i nt eger >
set sever i t y {al er t | cr i t i cal | debug | emer gency | er r or |
i nf or mat i on | not i f i cat i on | war ni ng}
set emer gency- i nt er val <mi nut es- i nt eger >
set al er t - i nt er val <mi nut es- i nt eger >
set cr i t i cal - i nt er val <mi nut es- i nt eger >
set er r or - i nt er val <mi nut es- i nt eger >
set war ni ng- i nt er val <mi nut es- i nt eger >
set not i f i cat i on- i nt er val <mi nut es- i nt eger >
set i nf or mat i on- i nt er val <mi nut es- i nt eger >
set debug- i nt er val <mi nut es- i nt eger >
set I PS- l ogs {di sabl e | enabl e}
set f i r ewal l - aut hent i cat i on- f ai l ur e- l ogs {di sabl e | enabl e}
set HA- l ogs {enabl e | di sabl e}
set I Psec- er r or - l ogs {di sabl e | enabl e}
set FDS- updat e- l ogs {di sabl e | enabl e}
set PPP- er r or s- l ogs {di sabl e | enabl e}
set ssl vpn- aut hent i cat i on- er r or s- l ogs {di sabl e | enabl e}
set ant i vi r us l ogs {di sabl e | enabl e}
set webf i l t er - l ogs {di sabl e | enabl e}
set conf i gur at i on- changes- l ogs {di sabl e | enabl e}
set vi ol at i on- t r af f i c- l ogs {di sabl e | enabl e}
set admi n- l ogi n- l ogs {di sabl e | enabl e}
set l ocal - di sk- usage- war ni ng {di sabl e | enabl e}
set FDS- l i cense- expi r i ng- war ni ng {di sabl e | enabl e}
set FDS- l i cense- expi r i ng- days 
set l ocal - di sk- usage 
set f or t i guar d- l og- quot a- war ni ng
end
Note: The FortiGate unit must be able to look up the SMTP server name on your DNS server because the
FortiGate unit uses the SMTP server to connect to the mail server. See system dns on page 317 for more
information.
alertemail setting
01-30005-0015-20070803 65
Keywords and variables Description Default
user name
<user - name- st r >
Enter a valid email address in the format user @domai n. com.
This address appears in the From header of the alert email.
No default.
mai l t o1
<emai l - addr ess- st r >
Enter an email address. This is one of the email addresses where
the FortiGate unit sends an alert email.
No default.
mai l t o2
No default.
mai l t o3
No default.
f i l t er - mode
<cat egor y>
<t hr eshol d>
Enter to set the filter mode of the alert email.The following only
displays when t hr eshol d is entered:
emer gency- i nt er val
al er t - i nt er val
cr i t i cal - i nt er val
er r or - i nt er val
war ni ng- i nt er val
not i f i cat i on- i nt er val
i nf or mat i on- i nt er val
debug- i nt er val
cat egor y
emai l - i nt er val
<mi nut es- i nt eger >
Enter the number of minutes the FortiGate unit should wait before
sending out an alert email. This is not available when f i l t er -
mode t hr eshol d is enabled.
5
emer gency- i nt er val
sending out alert email for emergency level messages. Only
available when f i l t er - mode t hr eshol d is entered.
1
al er t - i nt er val
sending out an alert email for alert level messages. Only available
when f i l t er - mode t hr eshol d is entered.
2
cr i t i cal - i nt er val
sending out an alert email for critical level messages. Only
3
er r or - i nt er val
sending out an alert email for error level messages. Only available
when f i l t er - mode t hr eshol d is entered.
5
war ni ng- i nt er val
sending out an alert email for warning level messages. Only
10
not i f i cat i on- i nt er val
sending out an alert email for notification level messages. Only
20
i nf or mat i on- i nt er val
sending out an alert email for information level messages. Only
30
debug- i nt er val
sending out an alert email for debug level messages. Only
60
66 01-30005-0015-20070803
setting alertemail
sever i t y
{al er t | cr i t i cal |
debug | emer gency |
er r or | i nf or mat i on |
not i f i cat i on | war ni ng}
Select the logging severity level. This is only available when
f i l t er - mode t hr eshol d is entered. The FortiGate unit logs all
messages at and above the logging severity level you select. For
example, if you er r or , the unit logs er r or , cr i t i cal , al er t ,
and emer gency level messages.
al er t Immediate action is required.
cr i t i cal Functionality is affected.
debug Information used for diagnosing or debugging the
FortiGate unit.
emer gency The system is unusable.
er r or An erroneous condition exists and functionality is
probably affected.
i nf or mat i on General information about system operations
not i f i cat i on Information about normal events.
war ni ng Functionality might be affected.
al er t
I PS- l ogs
{di sabl e | enabl e}
Enable or disable IPS logs. di sabl e
f i r ewal l -
aut hent i cat i on- f ai l ur e-
l ogs
Enable or disable firewall authentication failure logs. di sabl e
HA- l ogs
{enabl e | di sabl e}
Enable or disable high availability (HA) logs. di sabl e
I Psec- er r or - l ogs
Enable or disable IPSec error logs di sabl e
FDS- updat e- l ogs
Enable or disable FDS update logs. di sabl e
PPP- er r or s- l ogs
Enable or disable PPP error logs. di sabl e
ssl vpn- aut hent i cat i on-
er r or s- l ogs
Enable or disable SSL VPN authentication error logs. di sabl e
ant i vi r us l ogs
Enable or disable antivirus logs. di sabl e
webf i l t er - l ogs
Enable or disable web filter logs. di sabl e
conf i gur at i on- changes-
l ogs
Enable or disable configuration changes logs. di sabl e
vi ol at i on- t r af f i c- l ogs
Enable or disable traffic violation logs. di sabl e
admi n- l ogi n- l ogs
Enable or disable admin login logs di sabl e
l ocal - di sk- usage-
war ni ng
Enable or disable local disk usage warning. di sabl e
FDS- l i cense- expi r i ng-
war ni ng
Enable or disable to receive an email notification of the expire date
of the FDS license.
di sabl e
FDS- l i cense- expi r i ng-
days

Enter the number of days to be notified by email when the FDS
license expires. For example, if you want notification five days in
advance, enter 5.
15
alertemail setting
01-30005-0015-20070803 67
Examples
This example shows how to configure the user name, add three email addresses for sending alerts to,
and what type of emails will contain which log messages, such as HA and antivirus.
conf i g al er t emai l set t i ng
set user name f or t i gat e@our company. com
set mai l 1 admi n1@our company. com
set f i l t er - mode cat egor y
set HA- l ogs enabl e
set FDS- updat e- l ogs enabl e
set ant i vi r us- l ogs enabl e
set webf i l t er - l ogs enabl e
set admi n- l ogi n- l ogs enabl e
set vi ol at i on- t r af f i c- l ogs enabl e
end
Command history
Related topics
system alertemail
system dns
l ocal - di sk- usage

Enter a number for when the local disks usage exceeds that
number.
75
f or t i guar d- l og- quot a-
war ni ng
Enter to receive an alert email when the FortiGuard Log &
Analysis server reaches its quota.
di sabl e
FortiOS v2.80 Substantially revised and expanded.
FortiOS v3.0 Moved aut hent i cat i on, ser ver and passwor d to conf i g
syst emal er t emai l .
FortiOS v3.0MR2 New keywords added for:
IPS-logs
firewall-authentication-failure-logs
HA-logs
IPSec-errors-logs
FDS-update-logs
PPP-errors-logs
sslvpn-authentication-errors-logs
antivirus-logs
webfilter-logs
configuration-changes-logs
violation-traffic-logs
admin-login-logs
FDS-license-expiring-warning
local-disk-usage-warning
FDS-license-expiring-days
local-disk-usage
FortiOS 3.0MR4 Added f or t i guar d- l og- quot a- war ni ng keyword.
68 01-30005-0015-20070803
setting alertemail
antivirus
01-30005-0015-20070803 69
antivirus
Use antivirus commands to configure antivirus scanning for services, quarantine options, and to
enable or disable grayware and heuristic scanning.
This chapter contains the following sections:
filepattern
grayware
heuristic
quarantine
quarfilepattern
service
70 01-30005-0015-20070803
filepattern antivirus
filepattern
Use this command to add, edit or delete the file patterns used for virus blocking and to set which
protocols to check for files to block.
If you need to add configuration via CLI that requires ? as part of config, you need to input CTRL-V
first. If you enter the question mark (?) without first using CTRL-V, the question mark has a different
meaning in CLI: it will show available command options in that section.
For example, if you enter ? without CTRL-V:
edi t " *. xe
t oken l i ne: Unmat ched doubl e quot e.
If you enter ? with CTRL-V:
edi t " *. xe?"
new ent r y ' *. xe?' added
conf i g ant i vi r us f i l epat t er n
edi t <f i l epat t er n_l i st _i nt eger >
set name <f i l epat t er n_l i st >
set comment <f i l epat t er n_l i st _comment >
conf i g ent r i es
edi t <f i l epat t er n_st r i ng>
set act i on <al l ow | bl ock>
set act i ve {f t p ht t p i map nnt p pop3 smt p i m}
end
Command history
<f i l epat t er n_l i st _i nt eger > A unique number to identify the file pattern list.
<f i l epat t er n_l i st > The name of the file pattern header list.
<f i l epat t er n_l i st _comment > The comment attached to the file pattern header list.
<f i l epat t er n_st r i ng> The name of the file pattern being configured. This can be any
character string.
act i on <al l ow | bl ock> The action taken when a matching file name pattern is being
transferred via a set act i ve protocol.
act i ve
{f t p ht t p i map nnt p pop3
smt p i m}
NNTP support for this keyword will be added in the future.
The act i on specified will affect the file pattern in the selected
protocols.
Varies.
FortiOS v2.80 Substantially revised.
FortiOS v3.0 Added IM. Added multiple-list capability for models 800 and above.
antivirus filepattern
01-30005-0015-20070803 71
Related topics
antivirus heuristic
antivirus grayware
antivirus quarantine
antivirus quarfilepattern
antivirus service
72 01-30005-0015-20070803
grayware antivirus
grayware
Use this command to enable or disable grayware scanning for the specified category.
Grayware programs are unsolicited commercial software programs that get installed on computers,
often without the users consent or knowledge. Grayware programs are generally considered an
annoyance, but these programs can cause system performance problems or be used for malicious
purposes.
The FortiGate unit scans for known grayware executable programs in each category enabled. The
category list and contents are added or updated whenever the FortiGate unit receives a virus update
package. New categories may be added at any time and are loaded with virus updates. By default, all
new categories are disabled.
Grayware scanning is enabled in a protection profile when Virus Scan is enabled.
Adware Adware is usually embedded in freeware programs and causes ads to
pop up whenever the program is opened or used.
BHO BHOs (Browser Helper Objects) are DLL files that are often installed
as part of a software package so the software can control the behavior
of Internet Explorer 4.x and higher. Not all BHOs are malicious, but the
potential exists to track surfing habits and gather other information.
Dial Dialers allow others to use the PC modem to call premium numbers or
make long distance calls.
Download Download components are usually run at Windows startup and are
designed to install or download other software, especially advertising
and dial software.
Game Games are usually joke or nuisance games that may be blocked from
network users.
HackerTool
Hijacker Browser hijacking occurs when a spyware type program changes
web browser settings, including favorites or bookmarks, start pages,
and menu options.
Joke J oke programs can include custom cursors and programs that appear
to affect the system.
Keylog Keylogger programs can record every keystroke made on a keyboard
including passwords, chat, and instant messages.
Misc The miscellaneous grayware category.
NMT Network management tools can be installed and used maliciously to
change settings and disrupt network security.
P2P P2P, while a legitimate protocol, is synonymous with file sharing
programs that are used to swap music, movies, and other files, often
illegally.
Plugin Browser plugins can often be harmless Internet browsing tools that are
installed and operate directly from the browser window. Some toolbars
and plugins can attempt to control or record and send browsing
preferences.
RAT Remote administration tools allow outside users to remotely change
and monitor a computer on a network.
Spy Spyware, like adware, is often included with freeware. Spyware is a
tracking and analysis program that can report users activities, such as
web browsing habits, to the advertisers web site where it may be
recorded and analyzed.
Toolbar While some toolbars are harmless, spyware developers can use these
toolbars to monitor web habits and send information back to the
developer.
antivirus grayware
01-30005-0015-20070803 73
conf i g ant i vi r us gr aywar e <cat egor y_name_st r >
set st at us {enabl e | di sabl e}
end
Example
This example shows how to enable grayware scanning for Adware programs.
conf i g ant i vi r us gr aywar e Adwar e
set st at us enabl e
end
Command history
Related topics
antivirus heuristic
antivirus service
system autoupdate schedule
execute update-av
Note: The FortiGate CLI is case sensitive and the first letter of all grayware category names is uppercase.
<cat egor y_name_st r > The grayware category being configured.
st at us {enabl e | di sabl e} Enable or disable grayware scanning for the specified category. di sabl e
FortiOS v2.80 New.
74 01-30005-0015-20070803
heuristic antivirus
heuristic
Use this command to configure heuristic scanning for viruses in binary files.
conf i g ant i vi r us heur i st i c
set mode {pass | bl ock | di sabl e}
end
Example
This example shows how to disable heuristic scanning.
conf i g ant i vi r us heur i st i c
set mode di sabl e
end
Command history
Related topics
antivirus service
mode
{pass | bl ock | di sabl e}
Enter pass to enable heuristics but pass detected files to the
recipient. Suspicious files are quarantined if quarantine is
enabled.
Enter bl ock to enable heuristics and block detected files. A
replacement message is forwarded to the recipient. Blocked files
are quarantined if quarantine is enabled.
Enter di sabl e to disable heuristics.
pass
FortiOS v2.80 New.
01-30005-0015-20070803 75
quarantine
Use this command to set file quarantine options.
FortiGate units with a local disk can quarantine blocked and infected files. The quarantined files are
removed from the content stream and stored on the FortiGate local disk. Users receive a message
informing them that the removed files have been quarantined.
FortiGate units that do not have a local disk can quarantine blocked and infected files to a
FortiAnalyzer unit.
View the file names and status information about the file in the quarantined file list. Submit specific files
and add file patterns to the autoupload list so they are automatically uploaded to Fortinet for analysis.
conf i g ant i vi r us quar ant i ne
set agel i mi t <hour s_i nt eger >
set dr op- bl ocked {i map nnt p pop3 smt p}
set dr op- heur i st i c {f t p ht t p i mi map nnt p pop3 smt p}
set dr op- i nf ect ed {f t p ht t p i mi map nnt p pop3 smt p}
set l owspace {dr op- new | ovr w- ol d}
set maxf i l esi ze <MB_i nt eger >
set quar - t o- f or t i anal yzer {enabl e | di sabl e}
set st or e- bl ocked {i map nnt p pop3 smt p}
set st or e- heur i st i c {f t p ht t p i mi map nnt p pop3 smt p i m}
set st or e- i nf ect ed {f t p ht t p i mi map nnt p pop3 smt p}
end
agel i mi t <hour s_i nt eger > Specify how long files are kept in quarantine to a maximum of 479
hours. The age limit is used to formulate the value in the TTL
column of the quarantined files list. When the limit is reached the
TTL column displays EXP and the file is deleted (although a
record is maintained in the quarantined files list). Entering an age
limit of 0 (zero) means files are stored on disk indefinitely
depending on low disk space action.
0
dr op- bl ocked
{i map nnt p pop3 smt p}
Do not quarantine blocked files found in traffic for the specified
protocols. The files are deleted.
i map
nnt p
dr op- heur i st i c
{f t p ht t p i mi map nnt p
pop3 smt p}
Do not quarantine files found by heuristic scanning in traffic for the
specified protocols.
ht t p
i m
i map
nnt p
pop3
smt p
dr op- i nf ect ed
pop3 smt p}
Do not quarantine virus infected files found in traffic for the
i m
i map
nnt p
l owspace
{dr op- new | ovr w- ol d}
Select the method for handling additional files when the FortiGate
hard disk is running out of space.
Enter ovwr - ol d to drop the oldest file (lowest TTL), or
dr op- newto drop new quarantine files.
ovr w- ol d
maxf i l esi ze <MB_i nt eger > Specify, in MB, the maximum file size to quarantine.
The FortiGate unit keeps any existing quarantined files over the
limit. The FortiGate unit does not quarantine any new files larger
than this value. The file size range is 0-499 MB. Enter 0 for
unlimited file size.
0
76 01-30005-0015-20070803
quarantine antivirus
Example
This example shows how to set the quarantine age limit to 100 hours, not quarantine blocked files
from SMTP and POP3 traffic, not quarantine heuristic tagged files from SMTP and POP3 traffic,
set the quarantine to drop new files if the memory is full, set the maximum file size to quarantine
at 2 MB, quarantine files from IMAP traffic with blocked status, quarantine files with heuristic
status in IMAP, HTTP, and FTP traffic.conf i g ant i vi r us quar ant i ne
set agel i mi t 100
set dr op- bl ocked smt p pop3
set dr op- heur i st i c smt p pop3
set l owspace dr op- new
set maxf i l esi ze 2
set st or e- bl ocked i map
set st or e- heur i st i c i map ht t p f t p
end
Command history
Related topics
antivirus heuristic
antivirus service
quar - t o- f or t i anal yzer
For FortiGate units that do not have a local disc, send infected
files to a FortiAnalyzer unit.
disable
st or e- bl ocked
{i map nnt p pop3 smt p}
Quarantine blocked files found in traffic for the specified protocols.
No
default.
st or e- heur i st i c
pop3 smt p i m}
Quarantine files found by heuristic scanning in traffic for the
No
default.
st or e- i nf ect ed
pop3 smt p}
Quarantine virus infected files found in traffic for the specified
protocols.
No
default.
FortiOS v2.80 MR2 The enabl e_aut o_upl oad keyword was changed to
enabl e- aut o- submi t .
FortiOS v3.0 Added IM and NNTP options.
FortiOS v3.0 MR5 Removed set enabl e- aut o- submi t , set sel - st at us, set
use- f pat , set use- st at us.
01-30005-0015-20070803 77
quarfilepattern
Use this command to configure the file patterns used by automatic file uploading. This command is
only available on FortiGate units with a hard drive.
Configure the FortiGate unit to upload suspicious files automatically to Fortinet for analysis. Add file
patterns to be uploaded to the autoupload list using the * wildcard character. File patterns are applied
for autoupload regardless of file blocking settings.
Also upload files to Fortinet based on status (blocked or heuristics) or submit individual files directly
from the quarantined files list. For more information, see antivirus quarantine.
conf i g ant i vi r us quar f i l epat t er n
edi t pat t er n_st r
end
Example
Use the following commands to enable automatic upload of *. bat files.
conf i g ant i vi r us quar f i l epat t er n
edi t *. bat
end
Command history
Related topics
antivirus heuristic
antivirus service
pat t er n_st r The file pattern to be quarantined.
st at us {enabl e | di sabl e} Enable or disable using a file pattern. di sabl e
FortiOS v2.80 New.
FortiOS v3.0
MR5
Entire command removed.
78 01-30005-0015-20070803
service antivirus
service
Use this command to configure how the FortiGate unit handles antivirus scanning of large files in
HTTP, HTTPS, FTP, POP3, IMAP, and SMTP traffic and what ports the FortiGate unit scans for these
services.
For HTTPS, you can only configure the ports.
conf i g ant i vi r us ser vi ce <ser vi ce_st r >
set por t <por t _i nt eger >
set scan- bzi p2 {enabl e | di sabl e}
set uncompnest l i mi t <dept h_i nt eger >
set uncompsi zel i mi t <MB_i nt eger >
end
How file size limits work
The uncompsizelimit applies to the uncompressed size of the file. If other files are included within the
file, the uncompressed size of each one is checked against the uncompsizelimit value. If any one of the
uncompressed files is larger than the limit, the file is passed without scanning, but the total size of all
uncompressed files within the original file can be greater than the uncompsizelimit.
<ser vi ce_st r > The service being configured: HTTP, HTTPS, FTP, IM, IMAP,
NNTP, POP3, SMTP.
por t <por t _i nt eger > Configure antivirus scanning on a nonstandard port number or
multiple port numbers for the service. Use ports from the
range 1-65535. Add up to 20 ports.
HTTP: 80
HTTPS: 443
FTP: 21
IMAP: 143
NNTP: 119
POP3: 110
SMTP: 25
scan- bzi p2 {enabl e |
di sabl e}
Enable to allow the antivirus engine to scan the contents of
bzip2 compressed files. Requires antivirus engine 1.90 for full
functionality. Bzip2 scanning is extemely CPU intensive.
Unless this feature is required, leave scan- bzi p2 disabled.
disable
uncompnest l i mi t
<dept h_i nt eger >
Set the maximum number of archives in depth the AV engine
will scan with nested archives. The limit is from 2 to 100. The
supported compression formats are arj, bzip2, cab, gzip, lha,
lzh, msc, rar, tar, and zip. Bzip2 support is disabled by default.
12
uncompsi zel i mi t
<MB_i nt eger >
Set the maximum uncompressed file size that can be buffered
to memory for virus scanning. Enter a value in megabytes
between 1 and the maximum oversize threshold. Enter ? to
display the range for your FortiGate unit. Enter 0 for no limit
(not recommended).
10 (MB)
Note: If the file in uncompnest l i mi t has more levels than the limit you set, or if the file in
uncompsi zel i mi t is larger than the limit you set, the file will pass through without being virus scanned.
antivirus service
01-30005-0015-20070803 79
Example
This example shows how to set the maximum uncompressed file size that can be buffered to memory
for scanning at 15 MB, and how to enable antivirus scanning on ports 70, 80, and 443 for HTTP traffic.
conf i g ant i vi r us ser vi ce ht t p
set uncompsi zel i mi t 15
set por t 70
set por t 80
set por t 443
end
Command history
Related topics
antivirus heuristic
FortiOS v2.80 MR6 Removed di skf i l esi zel i mi t keyword.
FortiOS v2.80 MR7 Added uncompsi zel i mi t keyword.
FortiOS v3.0 Combined all services into one section. Added IM. Added
scan_bzi p2. Removed client comforting and file size limit
commands.
FortiOS v3.0 MR3 Added support for HTTPS. But only ports can be configured.
80 01-30005-0015-20070803
service antivirus
firewall
01-30005-0015-20070803 81
firewall
Use firewall commands to configure firewall policies and protection profiles. These commands are
used to create or configure the objects used in policies and profiles: IP addresses, schedules, services.
Also use these commands to configure DNS translation, IP/MAC binding, and multicast policies.
address, address6
addrgrp, addrgrp6
dnstranslation
ipmacbinding setting
ipmacbinding table
ippool
multicast-policy
policy, policy6
profile
schedule onetime
schedule recurring
service custom
service group
service predefined
vip
vipgrp
82 01-30005-0015-20070803
address, address6 firewall
address, address6
Use this command to add and edit addresses used in firewall policies. A firewall address can be
configured with a name, an IP address, and a netmask, or a name and IP address range.
The FortiGate unit comes configured with the default address All, which represents any IP address.
Addresses, address groups, and virtual IPs must all have unique names to avoid confusion in firewall
policies. If an address is included in a policy, it cannot be deleted unless it is first removed from the
policy.
conf i g f i r ewal l addr ess, addr ess6
edi t <name_st r >
set associ at ed- i nt er f ace 
set end- i p <addr ess_i pv4>
set f qdn <domai n_name>
set i p6 
set st ar t - i p <addr ess_i pv4>
set subnet <addr ess_i pv4mask>
set t ype {i pmask | i pr ange | f qdn}
end
Note: IP address: 0.0.0.0 and Netmask: 255.255.255.255 is not a valid firewall address. IP address: 0.0.0.0 and
Netmask: 0.0.0.0 means all possible addresses.
For IPv6 addresses, you configure the IPv6 address prefixes only.
name_st r The name of the address. No default
associ at ed- i nt er f ace

The name of the associated interface. Null
end- i p <addr ess_i pv4> If t ype is set to i pr ange, enter the end IP Address for the
range.
0.0.0.0
f qdn <domai n_name> Enter the fully qualified domain name, if you set the address
type to fqdn.
No default
i p6 Enter IPv6 IP address. No default
st ar t - i p <addr ess_i pv4> If t ype is set to i pr ange enter the start IP Address for the
range.
0.0.0.0
subnet <addr ess_i pv4mask> If t ype is set to i pmask, the IP Address can be the IP address
of a single computer (for example, 192.45.46.45) or the
address of a subnetwork (for example, 192.168.1.0).
The Netmask should correspond to the address that being
added. For example:
The netmask for the IP address of a single computer should
be 255.255.255.255.
The netmask for a class A subnet should be 255.0.0.0.
The netmask for a class B subnet should be 255.255.0.0.
The netmask for a class C subnet should be 255.255.255.0.
0.0.0.0
0.0.0.0
t ype {i pmask | i pr ange |
f qdn}
Specify whether this firewall address is a subnet address or an
address range.
i pmask
firewall address, address6
01-30005-0015-20070803 83
Example
This example shows how to add an address called User_Network, with an IP address and mask, add
an address called User_Range, with an IP address range, and add an address called User_Home,
with a fully qualified domain name.
conf i g f i r ewal l addr ess
edi t User _Net wor k
set t ype i pmask
set subnet 192. 168. 1. 0 255. 255. 255. 0
next
edi t User _Range
set t ype i pr ange
set st ar t - i p 10. 10. 1. 10
set end- i p 10. 10. 1. 30
next
edi t User _Home
set t ype f qdn
set f qdn www. exampl e. com
end
Command history
Related topics
firewall addrgrp, addrgrp6
firewall policy, policy6
FortiOS v2.80 Substantially revised. IP address range option added. Requiring that an
address be added to an interface removed.
FortiOS v3.0 Added f qdn.
FortiOS v3.0
MR4
Added option associ at ed- i nt er f ace.
84 01-30005-0015-20070803
addrgrp, addrgrp6 firewall
addrgrp, addrgrp6
Add, edit, or delete address groups used in firewall policies.
Organize related addresses into address groups to make it easier to configure policies. For example, if
three addresses are created and then added to an address group, a single policy can be configured
using all three addresses.
Addresses, address groups, and virtual IPs must all have unique names to avoid confusion in firewall
policies. If an address group is included in a policy, it cannot be deleted unless it is first removed from
the policy.
conf i g f i r ewal l addr gr p, addr gr p6
edi t <gr oup- name_st r >
set member <name_st r > [ <name_st r > [ <name_st r > . . . ] ]
end
Example
This example shows how to add an address group named Group1, and add the addresses
User_Network and User_Range to the group.
conf i g f i r ewal l addr gr p
edi t Gr oup1
set User _Net wor k User _Range
end
Command history
Related topics
gr oup- name_st r The name of the address group. No default
member <name_st r >
[ <name_st r > [ <name_st r >
. . . ] ]
The names of the addresses to add to the address group. The
member addresses must already have been added. Use
spaces to separate the address names. Remove an address
name from the group by retyping the list without including the
address name.
No default.
FortiOS v2.80 Revised.
firewall dnstranslation
01-30005-0015-20070803 85
dnstranslation
Use this command to add, edit or delete a DNS translation entry.
DNS translation translates IP addresses in packets sent by a DNS server from the internal network to
the external network. Use DNS translation if there is a DNS server on the internal network that can be
accessed by users on the external network to find the IP addresses of servers on the internal network.
If users on the external network can access a server on the internal network using virtual IP mapping,
allow them to find the IP address of the server using a DNS query. If they query a DNS server that is
also on the internal network, the DNS server would return the internal IP address of the server. The
external users would not be able to use this IP address to access the internal server.
Using DNS translation, map the internal IP address of the server to an address that external users can
use to access this server. When the firewall receives DNS packets from the internal network that
match a DNS translation source address, DNS translation changes the IP address in the DNS packet
to the DNS translation destination IP address and forwards the packet through the firewall to the
external user.
set dst <dest i nat i on_i pv4>
set net mask <addr ess_mask>
set sr c <sour ce_i pv4>
end
Example
This example shows how to add DNS translation for the source and destination addresses listed.
edi t 1
set dst 172. 16. 200. 190
set net mask 255. 255. 255. 0
set sr c 192. 168. 100. 12
end
Command history
Related topics
firewall vip
i d_i nt eger The unique ID number of the dns translation entry. No default
dst <dest i nat i on_i pv4> The destination address can be a single external IP address or
the IP address of a subnet accessible from the external
network.
No default.
net mask <addr ess_mask> Set the netmask as required for the source and destination
address type.
No default.
sr c <sour ce_i pv4> The source address can be a single IP address on the internal
network or the IP address of a subnet.
No default.
Note: The source and destination addresses must both be single IP addresses or must both be subnet addresses.
The netmask applies to both the source and destination addresses.
86 01-30005-0015-20070803
ipmacbinding setting firewall
Use this command to configure IP/MAC binding settings. Enable or disable IP/MAC binding for traffic
going to or through the FortiGate unit. Allow or block traffic not defined in the IP/MAC binding table.
Enable or disable IP/MAC binding for each individual FortiGate interface using the i pmac keyword
with the system interface command described on page 346.
IP/MAC binding protects the FortiGate unit and the network from IP spoofing attacks. IP spoofing
attacks try to use the IP address of a trusted computer to connect to, or through, the FortiGate unit
from a different computer. The IP address of a computer is easy to change to a trusted address, but
MAC addresses are added to ethernet cards at the factory and are not easy to change.
set bi ndt hr oughf w {enabl e | di sabl e}
set bi ndt of w {enabl e | di sabl e}
set undef i nedhost {al l ow | bl ock}
end
Example
This example shows how to enable IP/MAC binding going to and going through the firewall, and allow
undefined hosts (IP/MAC address pairs).
set bi ndt hr oughf w enabl e
set bi ndt of w enabl e
set undef i nedhost al l ow
end
Note: If IP/MAC binding is enabled, and the IP address of a computer with an IP or MAC address in the IP/MAC
list is changed, the entry in the IP/MAC list must also be changed or the computer does not have access to or
through the FortiGate unit. Also add the IP/MAC address pair of any new computer that is added to the network or
the new computer does not have access to or through the FortiGate unit.
Note: If a client computer gets an IP address from the FortiGate DHCP server, the clients MAC address is
automatically registered in the ipmacbinding table, which results in bypassing of ipmacbinding settings.
bi ndt hr oughf w
Enter enabl e to use IP/MAC binding to filter packets that a firewall
policy would normally allow through the firewall.
di sabl e
bi ndt of w
Enter enabl e to use IP/MAC binding to filter packets that would
normally connect with the firewall.
di sabl e
undef i nedhost
{al l ow | bl ock}
Available when either bi ndt hr oughf wor bi ndt of ware enabled.
Configure how IP/MAC binding handles packets with IP and MAC
addresses that are not defined in the IP/MAC list. Setting
undef i nedhost configures this behavior for traffic going through the
firewall and traffic going to the firewall.
Enter al l owto allow packets with IP and MAC address pairs that are
not added to the IP/MAC binding list.
Enter bl ock to block packets with IP and MAC address pairs that are
not added to the IP/MAC binding list.
bl ock
firewall ipmacbinding setting
01-30005-0015-20070803 87
Command history
Related topics
firewall ipmacbinding table
88 01-30005-0015-20070803
ipmacbinding table firewall
ipmacbinding table
Use this command to add IP and MAC address pairs to the IP/MAC binding table, or to edit or delete IP
and MAC address pairs added to the IP/MAC binding table.
Enable or disable IP/MAC binding for each individual FortiGate interface using the i pmac keyword
with the interface command described on page 346.
edi t <sequence_i nt eger >
set i p <addr ess_i pv4>
set mac <addr ess_hex>
set name <name_st r >
end
Example
This example shows how to add and enable an IP/MAC entry to the IP/MAC binding table.
edi t 1
set i p 172. 16. 44. 55
set mac 00: 10: F3: 04: 7A: 4C
set name Remot eAdmi n
end
Command history
Related topics
firewall ipmacbinding setting
sequence_i nt eger The unique ID number of this IP/MAC pair. No default
i p <addr ess_i pv4> The IP address to add to the IP/MAC binding table. Bind
multiple IP addresses to the same MAC address. Multiple MAC
addresses cannot be bound to the same IP address.
Set the IP address to 0.0.0.0 for multiple MAC address. This
means that all packets with the MAC address are allowed
continue through the firewall to be matched with a firewall
policy.
0.0.0.0
mac <addr ess_hex> The MAC address to add to the IP/MAC binding table. Set the
MAC address to 00:00:00:00:00:00 for multiple IP addresses.
This means that all packets with these IP addresses are
allowed to continue through the firewall to be matched with a
firewall policy.
00:00:00:00:
00:00
name <name_st r > Optional name for this entry on the IP/MAC address table. noname
st at us {enabl e | di sabl e} Enable or disable IP/MAC binding for this address pair. di sabl e
firewall ippool
01-30005-0015-20070803 89
ippool
Use this command to add IP address pools to use for NAT mode policies. An IP pool (also called a
dynamic IP pool) is a range of IP addresses added to a firewall interface. Enable Dynamic IP Pool in a
firewall policy to translate the source address to an address randomly selected from the IP pool. To
use IP pools the IP pool interface must be the same as the firewall policy destination interface.
Add an IP pool if in order to add NAT mode policies that translate source addresses to addresses
randomly selected from the IP pool rather than being limited to the IP address of the destination
interface. IP pools are only available in NAT/Route mode. Add multiple IP pools to any interface and
configure the firewall policy to select the IP pool to use for that firewall policy.
set endi p <addr ess_i pv4>
set i nt er f ace <name_st r >
set st ar t i p <addr ess_i pv4>
end
Example
Use the following command to add an IP pool with these settings to the firewall configuration.
ID number: 1
interface name: internal
start of IP address range: 192.168.1.100
end of IP address range: 192.168.1.200
edi t 1
set st ar t i p 192. 168. 1. 100
set endi p 192. 168. 1. 200
set i nt er f ace i nt er nal
end
Command history
Related topics
i d_i nt eger The unique ID number of this IP pool. No default
endi p <addr ess_i pv4> The end IP of the address range. The end IP must be higher
than the start IP. The end IP does not have to be on the same
subnet as the IP address of the interface for which you are
adding the IP pool.
0.0.0.0
i nt er f ace <name_st r > Add an IP pool with the specified start and end IP addresses to
the named interface. On FortiGate models 200 and up the
interface can also be a VLAN subinterface.
No default.
st ar t i p <addr ess_i pv4> The start IP of the address range. The start IP does not have to
be on the same subnet as the IP address of the interface for
which you are adding the IP pool.
0.0.0.0
90 01-30005-0015-20070803
multicast-policy firewall
multicast-policy
Use this command to configure a source NAT IP. This command can also be used in Transparent
mode to enable multicast forwarding by simply adding a multicast policy.
The matched forwarded (outgoing) IP multicast source IP address is changed to the configured IP
address.
set act i on <accept | deny>
set dnat <addr ess>
set dst addr <addr ess_i pv4mask>
set dst i nt f <name_st r >
set nat <addr ess_i pv4>
set sr caddr <addr ess_i pv4mask>
set sr ci nt f <name_st r >
set pr ot ocol 
set st ar t - por t 
set end- por t 
end
Example
This example shows how to configure a multicast NAT policy.
edi t 1
set dst addr 10. 0. 0. 1 255. 255. 255. 0
set dst i nt f dmz/ ha
set nat 10. 0. 1. 1
i d_i nt eger The unique ID number of this multicast policy. No default
act i on <accept | deny> Enter the policy action. accept
dnat <addr ess> Translate externally received multicast destination addresses to
addresses that conform to your organization's internal
addressing policy.
0.0.0.0
dst addr
<addr ess_i pv4mask>
Enter the destination IP address and netmask to match against
multicast NAT packets.
0.0.0.0
0.0.0.0
dst i nt f <name_st r > Enter the destination interface name to match against multicast
NAT packets.
No default.
nat <addr ess_i pv4> Enter the IP address to substitute for the original source IP
address.
0.0.0.0
sr caddr
Enter the source IP address and netmask to match against
multicast NAT packets.
0.0.0.0
0.0.0.0
sr ci nt f <name_st r > Enter the source interface name to match against multicast
NAT packets.
No default.
pr ot ocol Limit the number of protocols (services) sent out via multicast
using the Fortigate.
No default
st ar t - por t The beginning of the port range used for multicast. No default
end- por t The end of the port range used for multicast. No default
firewall multicast-policy
01-30005-0015-20070803 91
set sr caddr 192. 168. 100. 12 255. 255. 255. 0
set sr ci nt f i nt er nal
end
Command history
Related topics
system global
FortiOS v3.0
MR4
Added pr ot ocol , st ar t - por t , and end- por t to mul t i cast -
pol i cy.
FortiOS v3.0
MR5
Added dnat .
92 01-30005-0015-20070803
policy, policy6 firewall
policy, policy6
Use this command to add, edit, or delete firewall policies.
Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions
used by the FortiGate unit to decide what to do with a connection request. The policy directs the
firewall to allow the connection, deny the connection, require authentication before the connection is
allowed, or process the packet as an IPSec VPN packet.
set act i on {accept | deny | i psec | ssl - vpn}
set aut h- cer t <cer t - name>
set comment s <comment _st r >
set di f f ser v- f or war d {enabl e | di sabl e}
set di f f ser v- r ever se {enabl e | di sabl e}
set di f f ser vcode- f or war d <out bound_bi nar y>
set di f f ser vcode- r ev <r epl y_bi nar y>
set di scl ai mer {enabl e | di sabl e}
set dst addr <name_st r >
set dst i nt f <name_st r >
set f sae {enabl e | di sabl e}
set f sae- guest - pr of i l e {scan | st r i ct | unf i l t er ed | web}
set f i xedpor t {enabl e | di sabl e}
set f or t i cl i ent - check {enabl e | di sabl e}
set f or t i cl i ent - r a- not i nst al l ed {enabl e | di sabl e}
set f or t i cl i ent - r a- not l i censed {enabl e | di sabl e}
set f or t i cl i ent - r a- db- out dat ed {enabl e | di sabl e}
set f or t i cl i ent - r a- no- av {enabl e | di sabl e}
set f or t i cl i ent - r a- no- f w {enabl e | di sabl e}
set f or t i cl i ent - r a- no- wf {enabl e | di sabl e}
set f or t i cl i ent - r edi r - por t al {enabl e | di sabl e}
set gbandwi dt h <bandwi dt h_i nt eger >
set gr oups <name_st r >
set i nbound {enabl e | di sabl e}
set i ppool {enabl e | di sabl e}
set l ogt r af f i c {enabl e | di sabl e}
set maxbandwi dt h <bandwi dt h_i nt eger >
set nat {enabl e | di sabl e}
set nat i nbound {enabl e | di sabl e}
set nat i p <addr ess_i pv4mask>
set nat out bound {enabl e | di sabl e}
set nt l m{enabl e | di sabl e}
set out bound {enabl e | di sabl e}
set pool name <name_st r >
set pr i or i t y {hi gh | l ow | medi um}
set pr of i l e <name_st r >
set pr of i l e- st at us {enabl e | di sabl e}
set r edi r ect - ur l <name_st r >
Note: If you are creating a IPv6 policy, some of the IPv4 options, such as NAT and VPN settings, are not
applicable.
01-30005-0015-20070803 93
set schedul e <name_st r >
set secur e- vl an {enabl e | di sabl e}
set ser vi ce <name_st r >
set sr caddr [ al l | <name_st r >]
set sr ci nt f <name_st r >
set ssl vpn- aut h <any | l dap | l ocal | r adi us>
set ssl vpn- ccer t {enabl e | di sabl e}
set ssl vpn- ci pher <ci pher _i nt eger >
set swf por t <swpor t _num>
set swt por t <swpor t _num>
set t cp- mss- sender 
set t cp- mss- r ecei ver 
set t r af f i cshapi ng {enabl e | di sabl e}
set vpnt unnel <name_st r >
end
i d_i nt eger The unique ID number of this policy. No default
act i on
{accept | deny | i psec |
ssl - vpn}
Enter accept to accept packets that match the firewall policy.
Also enable or disable nat to make this a NAT policy
(NAT/Route mode only), enable or disable i ppool so that the
NAT policy selects a source address for packets from a pool of
IP addresses added to the destination interface, and enable or
disable f i xedpor t so that the NAT policy does not translate
the packet source port.
Enter deny to deny packets that match the firewall policy.
Enter i psec to define an IPSec firewall encryption policy.
When act i on is set to i psec, you must specify the
vpnt unnel attribute. You may also enable or disable the
i nbound, out bound, nat out bound, and nat i nbound
attributes and/or specify a nat i p value.
Enter ssl - vpn to define an SSL VPN firewall encryption policy.
When act i on is set to ssl - vpn, you may specify values for
the ssl vpn- aut h, ssl vpn- ccer t , and ssl vpn- ci pher
attributes.
For IPv6 policies, only accept and deny options are
available.
deny
aut h- cer t <cer t - name> Https server certificate for policy authentication.
Self-sign is the built in certificate but others will be listed as you
add them.
sel f -
si gn
comment s <comment _st r > Optionally add a description or other information about the
policy. comment _st r is limited to 63 characters. Enclose the
string in single quotes to enter special characters or spaces.
For more information, see Entering spaces in strings on
page 45
No default.
di f f ser v- f or war d
Enable or disable forward (original) Differentiated Services
traffic for this policy.
di sabl e
di f f ser v- r ever se
Enable or disable reverse (reply) Differentiated Services traffic
for this policy.
di sabl e
di f f ser vcode- f or war d
<out bound_bi nar y>
Set the Differentiated Services Code Point (DSCP) value in the
Diffserv field of outbound packets. The value is 6 bits binary.
The valid range is 000000-111111.
000000
di f f ser vcode- r ev
<r epl y_bi nar y>
Set the Differentiated Services Code Point (DSCP) value in the
Diffserv field of reply packets. The value is 6 bits binary. The
valid range is 000000-111111.
000000
94 01-30005-0015-20070803
di scl ai mer {enabl e |
di sabl e}
Enable to display the Authentication Disclaimer page (a
replacement message). The user must accept the disclaimer to
connect to the destination. You can use the disclaimer in
conjunction with authentication or a protection profile. This
option is available on some models.
disable
dst addr <name_st r > Enter the destination address for the policy. For a NAT policy a
virtual IP can be added. See vip on page 130. name_st r is
case-sensitive. You can add multiple names to the destination
address in one line.
If act i on is set to i psec, enter the name of the IP address to
which IP packets may be delivered at the remote end of the
IPSec VPN tunnel. For details, see Defining IP source and
destination addresses in the FortiGate IPSec VPN User Guide.
If act i on is set to ssl - vpn, enter the name of the IP address
that corresponds to the host, server, or network that remote
clients need to access behind the FortiGate unit.
null
dst i nt f <name_st r > Enter the destination interface for the policy. The interface can
be a physical interface, a VLAN subinterface or a zone.
If the interface or VLAN subinterface has been added to a zone,
the interface or VLAN subinterface cannot be used for
dst i nt f .
If act i on is set to i psec, enter the name of the interface to
the external (public) network.
If act i on is set to ssl - vpn, enter the name of the interface to
the local (private) network.
null
f sae {enabl e | di sabl e} Enable or disable ActiveDirectory authentication. disable
f sae- guest - pr of i l e {scan
| st r i ct | unf i l t er ed |
web}
Guest AV profile for FSAE authentication null
f i xedpor t
When the action is set to accept, prevent a NAT policy from
translating the source port. Some applications do not function
correctly if the source port is changed. If f i xedpor t is
entered, also enable IP pools. Not enabling IP pools means a
policy with f i xedpor t can only allow one connection at a time
for this port or service.
di sabl e
f or t i cl i ent - check
Check that the host has FortiClient Host Security software
installed. Enable any of the following FortiClient-related options
to deny the host access for reasons related to FortiClient
software.
This feature is available only on FortiGate models 1000A,
3600A and 5005FA2 and it can detect FortiClient Host Security
software version 3.0 MR2 or later.
di sabl e
f or t i cl i ent - r a-
not i nst al l ed
Deny access to this firewall policy if the host does not have
FortiClient Host Security software installed. This option is
available only if f or t i cl i ent - check is enabled.
di sabl e
not l i censed
Deny access to this firewall policy if the host does not have a
licensed copy of FortiClient Host Security software installed.
This option is available only if f or t i cl i ent - check is
enabled.
di sabl e
db- out dat ed
Deny access to this firewall policy if the FortiClient Host
Security antivirus database on the host is out of date. This
option is available only if f or t i cl i ent - check is enabled.
di sabl e
f or t i cl i ent - r a- no- av
Security antivirus feature is not enabled on the host. This option
is available only if f or t i cl i ent - check is enabled.
di sabl e
f or t i cl i ent - r a- no- f w
Security firewall is not enabled on the host. This option is
available only if f or t i cl i ent - check is enabled.
di sabl e
01-30005-0015-20070803 95
f or t i cl i ent - r a- no- wf
Deny access to this firewall policy if FortiClient Host Security
web filtering is not enabled on the host. This option is available
only if f or t i cl i ent - check is enabled.
di sabl e
f or t i cl i ent - r edi r - por t al
Redirect denied users to the internal web portal. The portal
page displays the reason the user was denied access. If a
FortiClient image is loaded on the FortiGate unit, the user can
download FortiClient Host Security software from the portal.
You can change the TCP port for the portal using the
f or t i cl i ent - por t al - por t keyword in the
syst emgl obal command.
di sabl e
gbandwi dt h
<bandwi dt h_i nt eger >
When traffic shaping is enabled, guarantee the amount of
bandwidth available for traffic controlled by the policy.
bandwi dt h_i nt eger can be 0 to 100000 Kbytes/second.
0
gr oups <name_st r > When the action is set to accept enter one or more user group
names for users that authenticate through this policy. When
user groups are created, they are paired with protection
profiles. The user group name is case sensitive.
No
Default.
i nbound
When act i on is set to i psec, enable or disable traffic from
computers on the remote private network to initiate an IPSec
VPN tunnel.
di sabl e
i ppool
When the action is set to accept and NAT is enabled, configure
a NAT policy to translate the source address to an address
randomly selected from the first IP pool added to the
destination interface of the policy. If f i xedpor t is specified for
a service or for dynamic NAT, use IP pools.
di sabl e
l ogt r af f i c
Enable or disable recording traffic log messages for this policy. di sabl e
maxbandwi dt h
When traffic shaping is enabled, limit the maximum amount of
bandwidth available for traffic controlled by the policy.
bandwi dt h_i nt eger can be 0 to 100000 Kbytes/second. If
maximum bandwidth is set to 0 no traffic is allowed by the
policy.
100
nat {enabl e | di sabl e} When the action is set to accept, configure the policy for
network address translation (NAT). NAT translates the source
address and the source port of packets accepted by the policy.
When NAT is enabled, i ppool and f i xedpor t can also be
enabled or disabled.
FortiOS v3.0 also supports NAT in transparent mode. For
details see Example Two: Adding a NAT policy in transparent
mode.
di sabl e
nat i nbound
When act i on is set to i psec, enable or disable translating the
source addresses IP packets emerging from the tunnel into the
IP address of the FortiGate interface to the local private
network.
di sabl e
nat i p <addr ess_i pv4mask> When act i on is set to i psec and nat out bound is enabled,
specify the source IP address and subnet mask to apply to
outbound cleartext packets before they are sent through the
tunnel.
If you do not specify a nat i p value when nat out bound is
enabled, the source addresses of outbound encrypted packets
are translated into the IP address of the FortiGate external
interface. When a nat i p value is specified, the FortiGate unit
uses a static subnetwork-to-subnetwork mapping scheme to
translate the source addresses of outbound IP packets into
corresponding IP addresses on the subnetwork that you
specify. For example, if the source address in the firewall
encryption policy is 192.168.1.0/24 and the nat i p value is
172.16.2.0/24, a source address of 192.168.1.7 will be
translated to 172.16.2.7.
0.0.0.0
0.0.0.0
96 01-30005-0015-20070803
nat out bound
When act i on is set to i psec, enable or disable translating the
source addresses of outbound encrypted packets into the IP
address of the FortiGate outbound interface. Enable this
attribute in combination with the nat i p attribute to change the
source addresses of IP packets before they go into the tunnel.
di sabl e
nt l m{enabl e | di sabl e} Enable or disable ActiveDirectory authentication via NTLM. disable
out bound
When act i on is set to i psec, enable or disable traffic from
computers on the local private network to initiate an IPSec VPN
tunnel.
di sabl e
pool name <name_st r > When NAT and an IP pool are enabled, enter the name of the
IP pool to use for the policy.
This command only appears if nat and ippool are enabled and
when the policy destination interface is the same as the IP pool
interface.
No default.
pr i or i t y
{hi gh | l ow | medi um}
When traffic shaping is enabled, set the priority for traffic
controlled by the policy. The available settings are hi gh for
high priority traffic, medi umfor medium priority traffic, and l ow
for low priority traffic.
hi gh
pr of i l e <name_st r > When a protection profile is being used, enter the name of a
profile to add the protection profile to the policy. The name_st r
variable is case-sensitive.
This is automatically disabled if a user group with a protection
profile has been selected for authentication.
No
Default.
pr of i l e- st at us
Enable or disable using a protection profile for the policy.
This is automatically disabled if a user group has been selected
for authentication.
di sabl e
r edi r ect - ur l <name_st r > If you enter a URL, the user is redirected to the URL after
authenticating and/or accepting the user authentication
disclaimer. This option is available on some models.
null
schedul e <name_st r > Enter the name of the one-time or recurring schedule to use for
the policy. The name_st r variable is case-sensitive.
No default.
secur e- vl an
Enable to create an intra-VLAN firewall policy. Specify the
switch ports in swf por t and swt por t . This is available only
on model 224B in switch view and only in the pol i cy
command, not pol i cy6.
di sabl e
ser vi ce <name_st r > Enter the name of the service to use for the policy. The
name_st r variable is case-sensitive. You can add multiple
services in one line.
No default.
sr caddr [ al l |
<name_st r >]
Enter the source address for the policy. The name_st r variable
is case-sensitive. You can add multiple names to the source
address on one line.
If act i on is set to i psec, enter the private IP address of the
host, server, or network behind the FortiGate unit.
If act i on is set to ssl - vpn and the firewall encryption policy
is for web-only mode clients, type al l .
If act i on is set to ssl - vpn and the firewall encryption policy
is for tunnel mode clients, enter the name of the IP address
range that you reserved for tunnel mode clients. To define an
address range for tunnel mode clients, see ssl settings on
page 482.
null
sr ci nt f <name_st r > Enter the source interface for the policy. The interface can be a
physical interface, a VLAN subinterface or a zone.
If the interface or VLAN subinterface has been added to a zone,
interface or VLAN subinterface cannot be used for sr ci nt f .
If act i on is set to i psec, enter the name of the interface to
the local (private) network.
If act i on is set to ssl - vpn, enter the name of the interface
that accepts connections from remote clients.
null
01-30005-0015-20070803 97
Example One: Adding a policy in NAT/Route mode
On a FortiGate-100, 200, or 300, use the following example to add policy number 2 that allows users
on the external network to access a web server on a DMZ network. The policy:
Is for connections from the external interface (sr ci nt f is ext er nal ) to the DMZ interface
(dst i nt f is dmz)
Is enabled
ssl vpn- aut h
<any | l dap | l ocal |
r adi us>
When act i on is set to ssl - vpn, enter one of the following
client-authentication options:
If you want the FortiGate unit to authenticate remote clients
using a local user group, a RADIUS server, or LDAP server,
type any.
If the user group is a local user group, type l ocal .
If the remote clients are authenticated by an external RADIUS
server, type r adi us.
If the remote clients are authenticated by an external LDAP
server, type l dap.
0
ssl vpn- ccer t
When act i on is set to ssl - vpn, enable or disable the use of
security certificates to authenticate remote clients.
disable
ssl vpn- ci pher
<ci pher _i nt eger >
When act i on is set to ssl - vpn, enter one of the following
options to determine the level of SSL encryption to use. The
web browser on the remote client must be capable of matching
the level that you select:
To use any cipher suite, type 0.
To use a 164-bit or greater cipher suite (high), type 1.
To use a 128-bit or greater cipher suite (medium), type 2.
0
st at us
Enable or disable the policy. enabl e
swf por t <swpor t _num> Enter the source switch port for an intra-VLAN policy. 0 means
any port. This is available only on model 224B in switch view
when secur e- vl an is set to enabl e.
0
swt por t <swpor t _num> Enter the destination switch port for an intra-VLAN policy.
0 means any port. This is available only on model 224B in
switch view when secur e- vl an is set to enabl e.
t cp- mss- sender Enter a TCP Maximum Sending Size number for the sender.
When the FortiGate unit is configured to use PPPoE to connect
to the ISP, certain web sites may not be accessible to users.
This occurs because a PPPoE frame takes an extra 8 bytes off
the standard Ethernet MTU of 1500.
When the server sends the large packet with DF bit set to 1, the
ADSL providers router either does not send an ICMP
fragmentation needed packet or the packet is dropped along
the path to the web server. In either case, the web server never
knows fragmentation is required to reach the client.
Use the t cp- mss- sender option in the firewall policy
configuration to enable access to all web sites. For more
information, see the article Cannot view some web sites when
using PPPoE on the Fortinet Knowledge Center.
t cp- mss- r ecei ver

Enter a TCP MSS number for the receiver.
t r af f i cshapi ng
Enable or disable traffic shaping. Also set gbandwi dt h,
maxbandwi dt h, and pr i or i t y.
di sabl e
vpnt unnel <name_st r > When act i on is set to i psec, enter the VPN tunnel name
defined in the phase 1 configuration. The specified tunnel will
be subject to this firewall encryption policy.
null
98 01-30005-0015-20070803
Allows users from any IP address on the Internet to access the web server (sr caddr is al l )
Allows access to an address on the DMZ network (dst addr is dmz_web_ser ver )
Sets the schedul e to Al ways so that users can access the web server 24 hours a day, seven
days a week
Sets the ser vi ce to HTTP to limit access to the web server to HTTP connections
Sets act i on to accept to allow connections
Applies network address translation (nat is enabled)
Applies traffic shaping to guarantee 100 KBytes/s of bandwidth is available, to limit the maximum
bandwidth to 500 KBytes/second, and to set the priority for the traffic accepted by this policy to
medium (t r af f i cshapi ng enabled, gbandwi dt h set to 100, maxbandwi dt h set to 500,
pr i or i t y set to medium)
conf i g f i r ewal l pol i cy
edi t 2
set sr ci nt f ext er nal
set dst i nt f dmz
set sr caddr al l
set dst addr dmz_web_ser ver
set schedul e Al ways
set ser vi ce HTTP
set act i on accept
set nat enabl e
set t r af f i cshapi ng enabl e
set gbandwi dt h 100
set maxbandwi dt h 500
set pr i or i t y medi um
end
Example Two: Adding a NAT policy in transparent mode
For NAT firewall policies to work in NAT/Route mode you must have two interfaces on two different
networks with two different subnet addresses. Then you can create firewall policies to translate source
or destination addresses for packets as they are relayed by the FortiGate unit from one interface to the
other.
A FortiGate unit operating in Transparent mode normally has only one IP address, the management IP.
To support NAT in Transparent mode you can add a second management IP. These two management
IPs must be on different subnets. When you add two management IPs all FortiGate interfaces will
respond to connections to both of these IP addresses.
In the example below, all of the PCs on the internal network (subnet address 192.168.1.0/24) are
configured with 192.168.1.99 as their default route. One of the management IPs of the FortiGate unit is
set to 192.168.1.99. This configuration results in a typical NAT mode firewall. When a PC on the
internal network attempts to connect to the internet, the PC's default route sends packets destined for
the internet to the FortiGate unit internal interface.
Similarly on the DMZ network (subnet address 10.1.1.0/24) all of the PCs have a default route of
10.1.1.99.
The example describes adding an internal to wan1 firewall policy to relay these packets from the
internal interface out the wan1 interface to the Internet. Because the wan1 interface does not have an
IP address of its own, you must add an IP pool to the wan1 interface that translates the source
addresses of the outgoing packets to an IP address on the network connected to the wan1 interface.
01-30005-0015-20070803 99
The example describes adding an IP pool with a single IP address of 10.1.1.201. So all packets sent
by a PC on the internal network that are accepted by the internal to wan1 policy leave the wan1
interface with their source address translated to 10.1.1.201. These packets can now travel across the
Internet to their destination. Reply packets return to the wan1 interface because they have a
destination address of 10.1.1.201. The internal to wan1 NAT policy translates the destination address
of these return packets to the IP address of the originating PC and sends them out the internal
interface to the originating PC.
Use the following steps to configure NAT in Transparent mode
Adding two management IPs
Adding an IP pool to the wan1 interface
Adding an internal to wan1 firewall policy
Adding two management IPs
Use the following commands to add two management IPs. The second management IP is the default
gateway for the internal network.
set managei p 10. 1. 1. 99/ 24 192. 168. 1. 99/ 24
end
Adding an IP pool to the wan1 interface
Use the following command to add an IP pool to the wan1 interface:
edi t nat - out
set i nt er f ace "wan1"
set st ar t i p 10. 1. 1. 201
set endi p 10. 1. 1. 201
end
100 01-30005-0015-20070803
Adding an internal to wan1 firewall policy
Use the following command to add an internal to wan1 firewall policy with NAT enabled that also
includes an IP pool:
edi t 1
set sr ci nt f " i nt er nal "
set dst i nt f " wan1"
set scr addr " al l "
set dst addr " al l "
set act i on accept
set schedul e " al ways"
set ser vi ce " ANY"
set nat enabl e
set i ppool enabl e
set pool name nat - out
end
Command history
Related topics
firewall profile
firewall schedule onetime
firewall schedule recurring
firewall service custom
firewall service group
Note: You can add the firewall policy from the web-based manager and then use the CLI to enable NAT
and add the IP Pool.
FortiOS v2.80 MR2 Replaced usr gr p keyword with user domai n.
Added pool name keyword.
FortiOS v2.80 MR3 Removed user domai n keyword.
Added gr oups keyword.
FortiOS v2.80 MR6 Removed aut hent i cat i on keyword. Authentication is automatically enabled for a policy
when one or more user group are set with the gr oups keyword.
FortiOS v3.0 Added ssl - vpn options: sslvpn-ccert, sslvpn-cipher, and sslvpn-auth. The encr ypt
action name changed to i psec. Updated i psec options: vpnt unnel , i nbound,
out bound, nat out bound, nat i nbound, and nat i p. Added f sae. Changes to
pr of i l e and pr of i l e_st at us.
Added t cp- mms- sender and t cp- mss- r ecei ver .
FortiOS v3.0 MR4 Added the command nt l m. Described the new ability to add multiple entries for the
following commands: sr caddr , dst addr , and ser vi ce.
Nat policy in transparent mode example added.
FortiOS v3.0 MR5 Added secur e- vl an keyword. This is available only on the FortiGate-224B unit.
firewall profile
01-30005-0015-20070803 101
profile
Use this command to add, edit, or delete protection profiles. Use protection profiles to apply different
protection settings for traffic controlled by firewall policies.
conf i g f i r ewal l pr of i l e
edi t <pr of i l e_st r >
conf i g sccp
set ar chi ve- summar y {enabl e | di sabl e}
set bl ock- mcast {enabl e | di sabl e}
set max- cal l s <l i mi t _i nt eger >
set no- cont ent - summar y {enabl e | di sabl e}
set ver i f y- header {enabl e | di sabl e}
end
conf i g si mpl e
set ar chi ve- f ul l {enabl e | di sabl e}
set bl ock- message {enabl e | di sabl e}
set message- r at e <l i mi t _i nt eger >
end
conf i g si p
set bl ock- ack {enabl e | di sabl e}
set bl ock- bye {enabl e | di sabl e}
set bl ock- cancel {enabl e | di sabl e}
set bl ock- i nf o {enabl e | di sabl e}
set bl ock- i nvi t e {enabl e | di sabl e}
set bl ock- l ong- l i nes {enabl e | di sabl e}
set bl ock- not i f y {enabl e | di sabl e}
set bl ock- opt i ons {enabl e | di sabl e}
set bl ock- pr ack {enabl e | di sabl e}
set bl ock- publ i sh {enabl e | di sabl e}
set bl ock- r ef er {enabl e | di sabl e}
set bl ock- r egi st er {enabl e | di sabl e}
set bl ock- subscr i be {enabl e | di sabl e}
set bl ock- unknown {enabl e | di sabl e}
set bl ock- updat e {enabl e | di sabl e}
set cal l - keepal i ve <l i mi t _i nt eger >
set i nvi t e- r at e <l i mi t _i nt eger >
set max- di al ogs <l i mi t _i nt eger >
set max- l i ne- l engt h <l i mi t _i nt eger >
set r egi st er - r at e <l i mi t _i nt eger >
set r t p {enabl e | di sabl e}
set st r i ct - r egi st er {enabl e | di sabl e}
end
set ai m{enabl e- i nspect ar chi ve- f ul l ar chi ve- summar y bl ock- i mbl ock-
f i l e bl ock- audi o bl ock- encr ypt bl ock- phot o i nspect - anypor t no-
cont ent - summar y}
set bi t t or r ent {bl ock | pass | l i mi t }
set bi t t or r ent - l i mi t <l i mi t _i nt eger >
102 01-30005-0015-20070803
profile firewall
set comment <comment _st r >
set edonkey {bl ock | pass | l i mi t }
set edonkey- l i mi t <l i mi t _i nt eger >
set f i l epat t abl e <l i st _i d>
set f t gd- wf - al l ow <cat _i nt eger > [ - <cat _i nt eger > [ - <cat _i nt eger >] ]
set f t gd- wf - deny <cat _i nt eger > [ - <cat _i nt eger > [ - <cat _i nt eger >] ]
set f t gd- wf - enabl e [ | c | g]
set f t gd- wf - di sabl e [ | c | g]
set f t gd- wf - ht t ps- opt i ons {al l ow- ovr d er r or - al l ow r at e- ser ver - i p
st r i ct - bl ocki ng}
set f t gd- wf - l og <cat _i nt eger > [ - <cat _i nt eger > [ - <cat _i nt eger >] ]
set f t gd- wf - opt i ons {al l ow- ovr d er r or - al l ow ht t p- er r - det ai l
r at e- i mage- ur l s r at e- ser ver - i p st r i ct - bl ocki ng}
set f t gd- wf - ovr d <cat _i nt eger > [ - <cat _i nt eger > [ - <cat _i nt eger >] ]
set f t gd- wf - ovr d- gr oup <gr oup_st r >
set f t p {ar chi ve- f ul l ar chi ve- summar y avmoni t or avquer y bl ock
cl i ent comf or t no- cont ent - summar y over si ze quar ant i ne scan spl i ce}
set f t pcomf or t amount <si ze_i nt eger >
set f t pcomf or t i nt er val <seconds>
set f t pover si zel i mi t <si ze_i nt eger >
set gnut el l a {bl ock | pass | l i mi t }
set gnut el l a- l i mi t <l i mi t _i nt eger >
set ht t p {act i vexf i l t er ar chi ve- f ul l ar chi ve- summar y avmoni t or
avquer y bannedwor d bl ock chunkedbypass cl i ent comf or t cooki ef i l t er
exempt wor d f or t i guar d- wf j avaf i l t er no- cont ent - summar y over si ze
quar ant i ne r angebl ock scan st r i ct - f i l e ur l f i l t er }
set ht t pcomf or t amount <si ze_i nt eger >
set ht t pcomf or t i nt er val <seconds>
set ht t pover si zel i mi t <si ze_i nt eger >
set ht t p- r et r y- count <r et r y_i nt eger >
set ht t ps {al l ow- ssl - unknown- sess- i d ar chi ve- summar y bl ock- i nval i d-
ur l f or t i guar d- wf no- cont ent - summar y ur l f i l t er }
set i cq {enabl e- i nspect bl ock- i mbl ock- f i l e bl ock- audi o cont ent - met a
cont ent - f ul l i nspect - anypor t no- cont ent - summar y}
set i m{avmoni t or avquer y bl ock over si ze quar ant i ne scan}
set i mover si zel i mi t <si ze_i nt eger >
set i map {ar chi ve- f ul l ar chi ve- summar y avmoni t or avquer y bannedwor d
bl ock f r agmai l no- cont ent - summar y over si ze quar ant i ne scan spam-
mai l - l og spamemai l bwl spamf schksumspamf si p spamf ssubmi t spamf sur l
spamhdr check spami pbwl spamr addr dns spamr bl }
set i mapover si zel i mi t <si ze_i nt eger >
set i map- spamact i on {pass | t ag}
set i map- spamt agmsg <message_st r >
set i map- spamt agt ype {header | subj ect | spami nf o}
set i ps- anomal y {i nf o | l ow | medi um| hi gh | cr i t i cal }
set i ps- l og {enabl e | di sabl e}
set i ps- si gnat ur e {i nf o | l ow | medi um| hi gh | cr i t i cal }
set kazaa {bl ock | pass | l i mi t }
set kazaa- l i mi t <l i mi t _i nt eger >
set l og- av- bl ock {enabl e | di sabl e}
set l og- av- over si ze {enabl e | di sabl e}
set l og- av- vi r us {enabl e | di sabl e}
set l og- i m{enabl e | di sabl e}
set l og- i ps {enabl e | di sabl e}
firewall profile
01-30005-0015-20070803 103
set l og- p2p {enabl e | di sabl e}
set l og- spam{enabl e | di sabl e}
set l og- voi p {enabl e | di sabl e}
set l og- voi p- vi ol at i ons {enabl e | di sabl e}
set l og- web- cont ent {enabl e | di sabl e}
set l og- web- f i l t er - act i vex {enabl e | di sabl e}
set l og- web- f i l t er - cooki e {enabl e | di sabl e}
set l og- web- f i l t er - appl et {enabl e | di sabl e}
set l og- web- f t gd- er r {enabl e | di sabl e}
set l og- web- ur l {enabl e | di sabl e}
set mai l - si g <si gnat ur e_st r >
set mai l si g- st at us {enabl e | di sabl e}
set msn {enabl e- i nspect bl ock- i mbl ock- f i l e bl ock- audi o bl ock- phot o
cont ent - met a cont ent - f ul l no- cont ent - summar y}
set nnt p {ar chi ve- f ul l ar chi ve- summar y avmoni t or avquer y bl ock
no- cont ent - summar y over si ze scan spammai l - l og }
set nnt pover si zel i mi t <val ue>
set p2p {enabl e | di sabl e}
set pop3 {ar chi ve- f ul l ar chi ve- summar y avmoni t or avquer y bannedwor d
mai l - l og spamemai l bwl spamf schksumspamf si p spamf ssubmi t spamf sur l
spamhdr check spami pbwl spamr addr dns spamr bl }
set pop3over si zel i mi t <si ze_i nt eger >
set pop3- spamact i on {pass | t ag}
set pop3- spamt agmsg <message_st r >
set pop3- spamt agt ype {header | subj ect | spami nf o}
set skype {bl ock | pass}
set smt p {ar chi ve- f ul l ar chi ve- summer y avmoni t or avquer y bannedwor d
mai l - l og spamemai l bwl spamf si p spamf schksumspamf sur l spamhdr check
spamhel odns spami pbwl spamr addr dns spamr bl spl i ce}
set smt pover si zel i mi t <si ze_i nt eger >
set smt p- spamact i on {di scar d | pass | t ag}
set smt p- spamhdr i p {enabl e | di sabl e}
set smt p- spam- l ocal over r i de {enabl e | di sabl e}
set smt p- spamt agmsg <message_st r >
set smt p- spamt agt ype {header | subj ect | spami nf o}
set spambwor dt abl e <l i st _i d>
set spamemaddr t abl e <l i st _i d>
set spami pbwl t abl e <l i st _i d>
set spami pt r ust t abl e <l i st _i d>
set spammheader t abl e <l i st _i d>
set spamr bl t abl e <l i st _i d>
set spambwor dt hr eshol d <val ue_i nt eger >
set webbwor dt abl e <l i st _i d>
set webexmwor dt abl e <l i st _i d>
set webur l f i l t er t abl e <l i st _i d>
set webwor dt hr eshol d <val ue_i nt eger >
set wi nny {bl ock | pass | l i mi t }
set wi nny- l i mi t <l i mi t _i nt eger >
set yahoo {enabl e- i nspect bl ock- i mbl ock- f i l e bl ock- audi o bl ock-
phot o cont ent - met a cont ent - f ul l i nspect - anypor t no- cont ent -
summar y}
end
104 01-30005-0015-20070803
profile firewall
pr of i l e_st r The name of this protection profile. No default
sccp
The following commands are the set options for conf i g sccp.
st at us {enabl e |
di sabl e}
Enable inspection of SCCP traffic.
For all other set options to be available, status must be
enabled.
disable
ar chi ve- summar y {enabl e
| di sabl e}
Archive call details. disable
bl ock- mcast {enabl e |
di sabl e}
Block multicast RTP connections. disable
max- cal l s
<l i mi t _i nt eger >
Maximum calls per minute per SCCP client (max 65535). 0
no- cont ent - summar y
Disable monitoring of content information from
dashboard.
disable
ver i f y- header {enabl e |
di sabl e}
Verify SCCP header content. disable
si mpl e
The following commands are the set options for conf i g si mpl e.
st at us {enabl e |
di sabl e}
Enable inspection of SIMPLE traffic.
enabled.
disable
ar chi ve- f ul l {enabl e |
di sabl e}
Archive full contents of chat messages. disable
| di sabl e}
Archive summary information for chat messages. disable
bl ock- message {enabl e |
di sabl e}
Block SIMPLE instant messages when enabled. disable
message- r at e
MESSAGE request rate limit (per second, per policy). 0
si p
The following commands are the set options for conf i g si p.
st at us {enabl e |
di sabl e}
Enable inspection of SIP traffic.
enabled.
disable
| di sabl e}
Archive call details. disable
bl ock- ack {enabl e |
di sabl e}
Block ACK requests. disable
bl ock- bye {enabl e |
di sabl e}
Block BYE requests. disable
bl ock- cancel {enabl e |
di sabl e}
Block CANCEL requests. disable
bl ock- i nf o {enabl e |
di sabl e}
Block INFO requests. disable
bl ock- i nvi t e {enabl e |
di sabl e}
Block INVITE requests. disable
bl ock- l ong- l i nes {enabl e
| di sabl e}
Block requests with headers exceeding max-line-length. enable
firewall profile
01-30005-0015-20070803 105
bl ock- not i f y {enabl e |
di sabl e}
Block NOTIFY requests. disable
bl ock- opt i ons {enabl e |
di sabl e}
Block OPTIONS requests. disable
bl ock- pr ack {enabl e |
di sabl e}
Block prack requests. disable
bl ock- publ i sh {enabl e |
di sabl e}
Block PUBLISH requests. disable
bl ock- r ef er {enabl e |
di sabl e}
Block REFER requests. disable
bl ock- r egi st er {enabl e |
di sabl e}
Block REGISTER requests. disable
bl ock- subscr i be {enabl e
| di sabl e}
Block SUBSCRIBE requests. disable
bl ock- unknown {enabl e |
di sabl e}
Block unrecognized SIP requests. enable
bl ock- updat e {enabl e |
di sabl e}
Block UPDATE requests. disable
cal l - keepal i ve
Continue tracking calls with no RTP for this many
minutes.
0
i nvi t e- r at e
INVITE request rate limit (per second, per policy). 0
max- di al ogs
Maximum number of concurrent dialogs (calls). 0
max- l i ne- l engt h
Maximum SIP header line length (78-4096). 998
r egi st er - r at e
REGISTER request rate limit (per second, per policy). 0
r t p {enabl e | di sabl e} Create pinholes for RTP traffic to traverse firewall. enable
st r i ct - r egi st er {enabl e
| di sabl e}
Only allow the registrar to connect. disable
The following commands are the set options for edi t <pr of i l e st r >.
ai m{enabl e- i nspect
ar chi ve- f ul l ar chi ve-
summar y bl ock- i mbl ock-
f i l e bl ock- audi o bl ock-
encr ypt bl ock- phot o
i nspect - anypor t no-
Enter enabl e- i nspect to enable inspection of AOL
Instant Messenger traffic.
Enter ar chi ve- f ul l to archive full content information.
Enter cont ent - summar y to archive meta-information.
Enter bl ock- i mto block instant messages.
Enter bl ock- f i l e to block file transfers.
Enter bl ock- audi o to block audio content.
Enter bl ock- encr ypt to block encrypted session.
Enter bl ock- phot o to block photo sharing.
Enter i nspect - anypor t to inspect on any port that is
not used by any proxy.
Enter no- cont ent - summar y to stop content
information from displaying on the dashboard.
No default.
bi t t or r ent
{bl ock | pass | l i mi t }
Before you can configure this option, you must enable
p2p scanning.
Enter bl ock to block BitTorrent peer to peer traffic.
Enter pass to allow BitTorrent traffic.
Enter l i mi t to restrict bandwidth used by BitTorrent.
Enter bandwidth limit with bi t t or r ent - l i mi t .
pass
106 01-30005-0015-20070803
profile firewall
bi t t or r ent - l i mi t
When BitTorrent is set to l i mi t , use bi t t or r ent -
l i mi t to specify maximum bandwidth use allowed. The
l i mi t _i nt eger can be 0 to 100000 Kbytes/second. If
policy.
0
comment <comment _st r > Enter comments about the protection profile. Comments
can be up to 64 characters long.
edonkey
p2p scanning.
Enter bl ock to block eDonkey peer to peer traffic.
Enter pass to allow eDonkey traffic.
Enter l i mi t to restrict bandwidth used by eDonkey.
Enter bandwidth limit with edonkey- l i mi t .
pass
edonkey- l i mi t
When eDonkey is set to l i mi t , use edonkey- l i mi t to
specify maximum bandwidth use allowed. The
policy.
0
f i l epat t abl e <l i st _i d> Specify the ID number of the file pattern list to be used
with the protection profile.
This command only appears on FortiGate-800 and above
units.
f t gd- wf - al l ow
<cat _i nt eger >
[ - <cat _i nt eger >
[ - <cat _i nt eger >] ]
Subscribe to the FortiGuard-Web Filtering service to use
category blocking. See webfilter fortiguard on page 496.
Enter set f t gd- wf - al l ow ? at the prompt to view the
list of categories and category groups. Categories are
organized into groups to make selection easier.
Enter one or more integers representing the categories or
groups of web pages to allow. Use a space to separate
the integers or groups.
To delete entries, use the unset command to delete the
entire list.
All categories
not specified as
deny or monitor.
f t gd- wf - deny
<cat _i nt eger >
Enter set f t gd- wf - deny ? at the prompt to view the
list of categories, category groups and classifications.
Categories are organized into groups to make selection
easier.
groups of web pages to block. Use a space to separate
the integers.
entire list.
No default.
f t gd- wf - enabl e [ |
c | g]
Enable categories for use in local ratings. You can enable
categories, classes, and groups.
f t gd- wf - di sabl e [ |
c | g]
Disable categories for use in local ratings. You can
disable categories, classes, and groups.
f t gd- wf - ht t ps- opt i ons
{al l ow- ovr d
er r or - al l ow
r at e- ser ver - i p
Select the options for category blocking.
Enter al l ow- ovr d to allow authenticated rating
overrides.
Enter er r or - al l owto allow web pages with a rating
error to pass through.
Enter r at e- ser ver - i p to send both the URL and the
IP address of the requested site for checking, providing
additional security against attempts to bypass the
FortiGuard system.
Enter st r i ct - bl ocki ng to block any web pages if
any classification or category matches the rating.
Enter all the actions for this profile to use. Use a space to
separate the options. To remove an option from the list or
add an option to the list, retype the list with the option
removed or added.
No default
firewall profile
01-30005-0015-20070803 107
f t gd- wf - l og
<cat _i nt eger >
Enter set f t gd- wf - l og ? at the prompt to view the
list of categories and category groups. Categories are
groups of web pages to log. Use a space to separate the
integers.
entire list.
No default.
f t gd- wf - opt i ons
{al l ow- ovr d
er r or - al l ow
ht t p- er r - det ai l
r at e- i mage- ur l s
r at e- ser ver - i p
Select the options for category blocking.
Enter al l ow- ovr d to allow authenticated rating
overrides.
Enter er r or - al l owto allow web pages with a rating
error to pass through.
Enter ht t p- er r - det ai l to display a replacement
message for 4xx and 5xx HTTP errors. If the error is
allowed through then malicious or objectionable sites
could use these common error pages to circumvent web
category blocking.
Enter r at e- i mage- ur l s to rate images by URL.
Blocked images are replaced with blanks.
Enter r at e- ser ver - i p to send both the URL and the
IP address of the requested site for checking, providing
additional security against attempts to bypass the
FortiGuard system.
Enter st r i ct - bl ocki ng to block any web pages if
any classification or category matches the rating.
removed or added.
No default.
f t gd- wf - ovr d
<cat _i nt eger >
Enter f t gd- wf - ovr d ? at the prompt to view the list of
categories and category groups. Categories are
groups of web page ratings to override. Use a hyphen to
separate the integers.
entire list.
f t gd- wf - ovr d- gr oup
<gr oup_st r >
Configure the group used to authenticate for overrides.
108 01-30005-0015-20070803
profile firewall
f t p
{ar chi ve- f ul l ar chi ve-
summar y avmoni t or
avquer y bl ock
cl i ent comf or t
over si ze quar ant i ne scan
spl i ce}
Select the actions that this profile uses for filtering FTP
traffic for a policy.
Enter ar chi ve- f ul l to archive emails to the
FortiAnalyzer
Enter ar chi ve- summar y to archive only content meta-
information to FortiAnalyzer.
Enter avmoni t or to log detected viruses, but allow
them through the firewall without modification.
Enter avquer y to use the FortiGuard AV query service.
Enter bl ock to enable deleting files with blocked file
patterns even if the files do not contain viruses.
Enter cl i ent comf or t to enable client comforting and
prevent client timeout.
Enter no- cont ent - summar y to disable storing a
content log summary which contains statistics since
bootup/reset and the most recent content logs split into
email, ftp, and http categories.
Enter over si ze to enable blocking files that are over
the file size threshold.
Enter quar ant i ne to enable quarantining files that
contain viruses. This feature is available for FortiGate
units that contain a hard disk.
Enter scan to enable scanning files for viruses and
worms.
Streaming mode (also called Spl i ce) is permanently
enabled by default for ftp.
removed or added.
spl i ce
f t pcomf or t amount
<si ze_i nt eger >
The number of bytes client comforting sends each interval
to show an FTP download is progressing. The interval
time is set using f t pcomf or t i nt er val .
1
f t pcomf or t i nt er val
<seconds>
The time in seconds before client comforting starts after
an FTP download has begun. It is also the interval
between subsequent client comforting sends. The amount
of data sent each interval is set using
f t pcomf or t amount .
10
f t pover si zel i mi t
<si ze_i nt eger >
The maximum in-memory file size that can be scanned, in
megabytes. If the file is larger than the
f t pover si zel i mi t , the file is passed or blocked,
depending on whether over si ze is set in the profile f t p
command. The maximum file size for scanning in memory
is 10% of the FortiGate unit RAM.
10
gnut el l a
p2p scanning.
Enter bl ock to block Gnutella peer to peer traffic.
Enter pass to allow Gnutella traffic.
Enter l i mi t to restrict bandwidth used by Gnutella. Enter
bandwidth limit with gnut el l a- l i mi t .
pass
gnut el l a- l i mi t
When Gnutella is set to l i mi t , use gnut el l a- l i mi t to
policy.
0
firewall profile
01-30005-0015-20070803 109
ht t p
{act i vexf i l t er
ar chi ve- f ul l
ar chi ve- summar y
avmoni t or
avquer y
bannedwor d
bl ock
chunkedbypass
cl i ent comf or t
cooki ef i l t er
exempt wor d
f or t i guar d- wf
j avaf i l t er
over si ze
quar ant i ne
r angebl ock
scan
st r i ct - f i l e
ur l f i l t er }
Select the actions that this profile uses for filtering HTTP
Enter act i vexf i l t er to block ActiveX.
Enter ar chi ve- f ul l to archive all the transferred files
to a FortiAnalyzer appliance.
Enter ar chi ve- summar y to enable archiving of HTTP
content meta-information to a FortiAnalyzer appliance.
Enter avquer y to use the Fortiguard-Antivirus service
for virus detection using MD5 checksums. This feature
is disabled by default.
Enter bannedwor d to enable web content blocking
based on the banned word list.
Enter chunkedbypass to allow web sites that use
chunked encoding for HTTP to bypass the firewall.
Chunked encoding means the HTTP message body is
altered to allow it to be transferred in a series of chunks.
Use of this feature is a risk. Malicious content could
enter the network if web content is allowed to bypass
the firewall.
Enter cl i ent comf or t to enable client comforting and
prevent client timeout.
Enter cooki ef i l t er to block cookies.
Enter exempt wor d to create words that are exempted
from policies.
Enter cont ent - ar chi ve to enable archiving of HTTP
Enter f or t i guar d- wf to enable FortiGuard-Web
filtering.
Enter j avaf i l t er to block J ava scripts.
Enter no- cont ent - summar y to disable displaying a
the large file size limit.
Enter r angebl ock to block downloading parts of a file
that have already been partially downloaded. Enabling
this option prevents the unintentional download of virus
files hidden in fragmented files. Note that some types of
files, such as PDF, fragment files to increase download
speed and enabling this option can cause download
interruptions. Enabling this option may break certain
applications that use the Range Header in http protocol,
such as YUM (the Linux update manager).
worms.
Enter st r i ct - f i l e to perform stricter checking for
blocked files as specified in AntiVirus > File Pattern.
This more thorough checking can effectively block some
web sites with elaborate scripting using exe or dll files if
those patterns are blocked.
Enter ur l f i l t er to enable the URL filter list.
separate the options.To remove an option from the list or
removed or added.
No actions.
110 01-30005-0015-20070803
profile firewall
ht t pcomf or t amount
<si ze_i nt eger >
The number of bytes client comforting sends each interval
to show an FTP download is progressing. The interval
time is set using ht t pcomf or t i nt er val .
1
ht t pcomf or t i nt er val
<seconds>
The time in seconds before client comforting starts after
an HTTP download has begun. It is also the interval
between subsequent client comforting sends. The amount
of data sent each interval is set using
ht t pcomf or t amount .
10
ht t pover si zel i mi t
<si ze_i nt eger >
ht t pover si zel i mi t , the file is passed or blocked,
depending on whether over si ze is set in the profile
ht t p command. The maximum file size for scanning in
memory is 10% of the FortiGate unit RAM.
10
ht t p- r et r y- count
<r et r y_i nt eger >
Define the number of times to retry establishing an HTTP
connection when the connection fails on the first try. The
range is 0 to 100.
This allows the web server proxy to repeat the connection
attempt on behalf of the browser if the server refuses the
connection the first time. This works well and reduces the
number of hang-ups or page not found errors for busy
web servers.
The default of 0 (zero) effectively disables this feature.
0
ht t ps
{al l ow- ssl - unknown- sess-
i d
ar chi ve- summar y
bl ock- i nval i d- ur l
f or t i guar d- wf
ur l f i l t er }
Select the actions that this profile uses for filtering HTTPS
Enter al l ow- ssl - unknown- sess- i d to allow SSL
sessions whose ID has not been previously filtered.
Enter ar chi ve- summar y to enable archiving of
HTTPS content meta-information to a FortiAnalyzer
appliance.
Enter bl ock- i nval i d- ur l to block SSL sites whose
URL cannot be determined.
Enter f or t i guar d- wf to enable FortiGuard-Web
filtering.
Enter no- cont ent - summar y to disable displaying a
email, ftp, http and https categories.
Enter ur l f i l t er to enable the URL filter list.
separate the options.To remove an option from the list or
removed or added.
No actions.
i cq {enabl e- i nspect
bl ock- i mbl ock- f i l e
bl ock- audi o cont ent - met a
cont ent - f ul l
i nspect - anypor t no-
Enter enabl e- i nspect to enable inspection of ICQ
Instant Messenger traffic.
Enter cont ent - met a to archive meta-information.
Enter cont ent - f ul l to archive content full information.
No default.
firewall profile
01-30005-0015-20070803 111
i m{avmoni t or avquer y
bl ock over si ze
quar ant i ne scan}
Select the actions that this profile uses for filtering IM
Enter avmoni t or if a replacement message is
required.
worms.
No actions
i mover si zel i mi t
<si ze_i nt eger >
i mover si zel i mi t , the file is passed or blocked,
depending on whether over si ze is set in the profile i m
command. The maximum file size for scanning in memory
is 10% of the FortiGate unit RAM.
10
i mover si zechat
<si ze_i nt eger >
Maximum length of chat messages in bytes. Range from
2048 to 65536.
8192
112 01-30005-0015-20070803
profile firewall
i map
avquer y bannedwor d bl ock
f r agmai l
spammai l - l og
spamemai l bwl
spamf schksumspamf si p
spamf ssubmi t spamf sur l
spamhdr check spami pbwl
spamr addr dns spamr bl }
Select the actions that this profile uses for filtering IMAP
Enter ar chi ve- f ul l to archive all the transferred files
to a FortiAnalyzer appliance.
Enter ar chi ve- summar y to enable archiving of IMAP
Enter bannedwor d to enable email content blocking
Enter f r agmai l to enable blocking fragmented email
messages.
Enter no-content-summary to disable storing a content
log summary which contains statistics since
worms.
Enter spammai l - l og to include spam in mail log.
Enter spamemai l bwl to enable filtering based on the
email address list.
Enter spamf schksumto enable the FortiGuard-
Antispam email message checksum spam check.
Enter spamf si p to enable the FortiGuard-Antispam
filtering IP address blacklist.
Enter spamf ssubmi t to add a link to the message
body to allow users to report messages incorrectly
marked as spam. If an e-mail message is not spam,
simply click the link in the message to inform FortiGuard
of the false positive.
Enter spamf sur l to enable the FortiGuard-Antispam
filtering URL blacklist.
Enter spamhdr check to enable filtering based on the
MIME header list.Enter spami pbwl to enable filtering
based on the email ip address.
Enter spamaddr dns to enable filtering based on the
return e-mail DNS check.
Enter spamr bl to enable checking traffic against
configured DNS-based Blackhole List (DNSBL) and
Open Relay Database List (ORDBL) servers.
removed or added.
f r agmai l
spamf ssubmi t
firewall profile
01-30005-0015-20070803 113
i mapover si zel i mi t
<si ze_i nt eger >
i mapover si zel i mi t , the file is passed or blocked,
i map command. The maximum file size for scanning in
Note: For email scanning, the oversize threshold refers to
the final size of the email after encoding by the email
client, including attachments. Email clients may use a
variety of encoding types and some encoding types
translate into larger file sizes than the original attachment.
The most common encoding, base64, translates 3 bytes
of binary data into 4 bytes of base64 data. So a file may
be blocked or logged as oversized even if the attachment
is several megabytes smaller than the configured
oversize threshold.
10
i map- spamact i on
{pass | t ag}
Select the action that this profile uses for filtered IMAP
email. Enter pass or t ag.
Enter pass to disable spam filtering for IMAP traffic.
Enter t ag to enable tagging spam email with text
configured using the i map- spamt agmsg keyword and
the location set using the i map- spamt agt ype
keyword.
t ag
i map- spamt agmsg
<message_st r >
Enter the subject text or MIME header text with which to
tag spam messages. A tag of more than one word (a
phrase) must be enclosed in single quotes to be accepted
by the CLI.
Spam
i map- spamt agt ype
{header | subj ect |
spami nf o}
Enter the location for the spam tag. The spam tag can be
added to the MIME header, to the email subject, or to the
spam email header.
subj ect
i ps- anomal y {i nf o | l ow
| medi um| hi gh |
cr i t i cal }
Select the IPS anomaly severity levels triggered for the
protection profile.
No default.
i ps- l og {enabl e |
di sabl e}
Enable logging of signature and anomaly intrusions. di sabl e
i ps- si gnat ur e {i nf o |
l ow | medi um| hi gh |
cr i t i cal }
Select the IPS signature severity levels triggered for the
protection profile.
No default
kazaa
p2p scanning.
Enter bl ock to block Kazaa peer to peer traffic.
Enter pass to allow Kazaa traffic.
Enter l i mi t to restrict bandwidth used by Kazaa. Enter
bandwidth limit with kazaa- l i mi t .
pass
kazaa- l i mi t
When Kazaa is set to l i mi t , use kazaa- l i mi t to
policy.
0
l og- av- bl ock
Enable logging of content blocking. di sabl e
l og- av- over si ze
Enable logging of oversize file and email blocking. di sabl e
l og- av- vi r us
Enable logging of viruses scanned. di sabl e
l og- i m
Enable logging of IM activity by profile. di sabl e
114 01-30005-0015-20070803
profile firewall
l og- i ps
Enable logging of IPS violations. di sabl e
l og- p2p
Enable logging of P2P activity by profile. di sabl e
l og- spam
Enable logging of spam detected. di sabl e
l og- voi p
Enable logging of VOIP detected. di sabl ed
l og- voi p- vi ol at i ons
Enable logging of VOIP violations. di sabl ed
l og- web- cont ent
Enable logging of web content blocking. di sabl e
l og- web- f i l t er - act i vex
Enable generation of a log entry each time web filtering
blocks an ActiveX script
di sabl e
l og- web- f i l t er - cooki e
blocks a cookie
di sabl e
l og- web- f i l t er - appl et
blocks a J ava applet
di sabl e
l og- web- f t gd- er r
Enable logging of FortiGuard rating errors di sabl e
l og- web- ur l
Enable logging of URLs blocked. di sabl e
mai l - si g <si gnat ur e_st r > Enter a signature to add to outgoing email. A signature of
more than one word (a phrase) must be enclosed in
single quotes to be accepted by the CLI.
No default.
mai l si g- st at us
Enable or disable adding a signature to outgoing email. di sabl e
msn {enabl e- i nspect
bl ock- audi o bl ock- phot o
cont ent - met a cont ent -
f ul l no- cont ent - summar y}
Enter enabl e- i nspect to enable inspection of
Microsoft Messenger traffic.
No def aul t
firewall profile
01-30005-0015-20070803 115
nnt p {ar chi ve- f ul l
ar chi ve- summar y
avmoni t or avquer y bl ock
over si ze scan spammai l -
l og }
Select the actions that this profile uses for filtering NNTP
FortiAnalyzer.
email, FTP, HTTP, and NNTP categories.
worms.
Enter spammai l - l og to include SPAM in the mail log.
removed or added.
f r agmai l
spl i ce
nnt pover si zel i mi t
<val ue>
Support for this keyword will be added in the future
Maximum scannable file size. Minimum 1 MB, maximum
139 MB.
10
p2p {enabl e | di sabl e} Enable or disable the inspection of peer to peer traffic. If
disabled, all p2p traffic is passed through the FortiGate
unit without any inspection or statistics gathering.
di sabl e
116 01-30005-0015-20070803
profile firewall
pop3
f r agmai l
spammai l - l og
spamemai l bwl
spamf schksumspamf si p
spamf ssubmi t spamf sur l
spamhdr check spami pbwl
spamr addr dns spamr bl }
Select the actions that this profile uses for filtering POP3
FortiAnalyzer.
Enter bannedwor d to enable email content blocking
Enter f r agmai l to enable blocking of fragmented
email messages.
email, FTP, and HTTP categories.
worms.
Enter spammai l - l og to include spam in the email
log.
email address list.
body to allow users to report messages incorrectly
simply click the link in the message to inform FortiGuard
of the false positive.
MIME header list.Enter spami pbwl to enable filtering
based on the email ip address.
removed or added.
f r agmai l
spamf ssubmi t
firewall profile
01-30005-0015-20070803 117
pop3over si zel i mi t
<si ze_i nt eger >
pop3over si zel i mi t , the file is passed or blocked,
pop3 command. The maximum file size for scanning in
oversize threshold.
10
pop3- spamact i on
{pass | t ag}
Select the action that this profile uses for filtered POP3
email. Enter pass or t ag.
Enter pass to disable spam filtering for POP3 traffic.
configured using the pop3- spamt agmsg keyword and
the location set using the pop3- spamt agt ype
keyword.
t ag
pop3- spamt agmsg
<message_st r >
Enter the subject text or MIME header text to add to
spam. A tag of more than one word (a phrase) must be
enclosed in single quotes to be accepted by the CLI.
Spam
pop3- spamt agt ype
spami nf o}
Select the location for the spam tag. The spam tag can be
added to the MIME header, to the email subject, or to the
spam email header.
subj ect
skype
{bl ock | pass}
p2p scanning.
Enter bl ock to block Skype peer to peer traffic.
Enter pass to allow Skype traffic.
pass
118 01-30005-0015-20070803
profile firewall
smt p
summer y avmoni t or
f r agmai l
spammai l - l og
spamemai l bwl spamf si p
spamf schksumspamf sur l
spamhdr check spamhel odns
spami pbwl spamr addr dns
spamr bl spl i ce}
Select the actions a profile uses for filtering SMTP traffic.
FortiAnalyzer.
Enter bannedwor d to enable email blocking based on
the banned word list.
Enter f r agmai l to enable blocking fragmented email.
worms.
Enter spammai l - l og to include SPAM in the mail log.
email address list.
body allowing users to report messages incorrectly
click the link in the message to report the false positive.
MIME header list.
Enter spamhel odns to enable filtering email based on
the helo/ehlo domain dns check.
Enter spami pbwl to enable filtering email based on the
source IP or subnet address.
Streaming mode (also called spl i ce) is also enabled
when scan is enabled. In the US Domestic distribution,
streaming mode is permanently enabled for SMTP.
In streaming mode, the FortiGate unit simultaneously
scans and sends an email to the SMTP server. If the
FortiGate unit detects a virus, it terminates the server
connection and returns an error message to the sender,
listing the virus and infected file name. With streaming
mode enabled, select either Spam Action (Tagged or
Discard) for SMTP spam. When streaming mode is
disabled for SMTP, infected attachments are removed
and the email is forwarded (without the attachment) to
the SMTP server for delivery to the recipient.
Throughput is higher when streaming mode is enabled.
removed or added.
f r agmai l
spamf ssubmi t
spl i ce
firewall profile
01-30005-0015-20070803 119
smt pover si zel i mi t
<si ze_i nt eger >
smt pover si zel i mi t , the file is passed or blocked,
smt p command. The maximum file size for scanning in
oversize threshold.
10
smt p- spamact i on
{di scar d | pass | t ag}
Select the action that this profile uses for filtered SMTP
email. Enter di scar d, pass, or t ag. Tagged allows the
appending of a custom tag to the subject or header of
email identified as spam. With scan or streaming mode
(also called spl i ce) is enabled, the FortiGate unit can
only discard spam email. Discard immediately drops the
connection. Without streaming mode or scanning
enabled, chose to discard, pass, or tag SMTP spam. In
the US Domestic distribution, streaming mode is
permanently enabled for SMTP, and the tag option is not
available.
Enter di scar d to enable deleting email identified as
spam.
Enter pass to disable spam filtering for SMTP traffic.
configured using the smt p- spamt agmsg keyword and
the location set using the smt p- spamt agt ype
keyword.
di scar d
smt p- spamhdr i p
Enable or disable checking of header ip addresses for
spamf si p, spamr bl , and spami pbwl filters.
di sabl e
smt p- spam- l ocal over r i de
Enable this option to let locally defined black/white
antispam list to override SMTP remote check, which
includes IP RBL check, IP FortiGuard antispam check,
and HELO DNS check.
di sabl e
smt p- spamt agmsg
<message_st r >
Enter the subject text or MIME header text added to spam
email. A tag of more than one word (a phrase) must be
enclosed in single quotes to be accepted by the CLI.
Spam
smt p- spamt agt ype
spami nf o}
Enter the location for the spam tag. The spam tag can be
added to the MIME header, to the email Subject header,
or to the spam email header.
subj ect
spambwor dt abl e <l i st _i d> Specify the ID number of the spamfilter banned word list
to be used with the protection profile.
units.
spamemaddr t abl e
<l i st _i d>
Specify the ID number of the spamfilter email address list
units.
spami pbwl t abl e <l i st _i d> Specify the ID number of the spamfilter IP address
black/white list to be used with the protection profile.
units.
120 01-30005-0015-20070803
profile firewall
spami pt r ust t abl e
<l i st _i d>
Specify the ID number of the spamfilter IP trust list to be
used with the protection profile.
units.
spammheader t abl e
<l i st _i d>
Specify the ID number of the spamfilter MIME header list
units.
No default
spamr bl t abl e <l i st _i d> Specify the ID number of the spamfilter DNSBL list to be
units.
No default
spambwor dt hr eshol d
<val ue_i nt eger >
If the combined scores of the banned word patterns
appearing in an email message exceed the threshold
value, the message will be processed according to the
Spam Action setting.
10
webbwor dt abl e <l i st _i d> Specify the ID number of the webfilter banned word list to
be used with the protection profile.
units.
No default
webexmwor dt abl e
<l i st _i d>
Specify the ID number of the webfilter exempt word list to
be used with the protection profile.
units.
No default
webur l f i l t er t abl e
<l i st _i d>
Specify the ID number of the webfilter URL filter list to be
units.
No default
webwor dt hr eshol d
<val ue_i nt eger >
If the combined scores of the content block patterns
appearing on a web page exceed the threshold value, the
page will be blocked.
10
wi nny
Enter bl ock to block WinNY peer to peer traffic.
Enter pass to allow WinNY traffic.
Enter l i mi t to restrict bandwidth used by WinNY. Enter
bandwidth limit with wi nny- l i mi t .
pass
wi nny- l i mi t
p2p scanning.
When WinNY is set to l i mi t , use wi nny- l i mi t to
policy.
0
yahoo {enabl e- i nspect
bl ock- audi o bl ock- phot o
cont ent - met a cont ent -
f ul l i nspect - anypor t no-
Enter enabl e- i nspect to enable inspection of Yahoo
Messenger traffic.
No default.
firewall profile
01-30005-0015-20070803 121
Example
This example shows how to:
create a profile called spammai l
enable filtering of email according to the email banned word list, the MIME header list, and the
return DNS check, enable spam to be logged and tagged with the tag Spam in the subject for
POP3 traffic
enable filtering of email based on the DNSBL server, and log and discard messages identified as
spam for SMTP traffic
edi t spammai l
set pop3 spamemai l bwl spamhdr check spamr addr dns
set pop3- spamact i on l og t ag
set pop3- spamt agmsg Spam
set pop3- spamt agt ype subj ect
set smt p spamr bl
set smt p- spamact i on l og di scar d
end
This example shows how to:
add HTTP category blocking to the spammai l profile created above
configure category blocking to deny access to web pages categorized as Games (20),
Personals and Dating (37), Shopping and Auction (42) and the category group Objectionable or
Controversial (g02)
configure category monitoring to log access to web pages categorized as Computer Security
(50) and the category group Potentially Bandwidth Consuming (g04)
edi t spammai l
set f t gd- wf - deny 20 37 42 g02
set f t gd- wf - l og 50 g04
end
Command history
FortiOS v2.80 MR2 Removed l og variable from i map- spamact i on, pop3- spamact i on, and smt p-
spamact i on keywords.
FortiOS v2.80 MR3 Added spl i ce variable to f t p and smt p keywords. Moved from conf i g ant i vi r us
f t p ser vi ce and conf i g ant i vi r us smt p ser vi ce.
Added chunkedbypass variable to ht t p keyword.
FortiOS v2.80 MR5 Added ht t p_er r _det ai l to cat _opt i ons keyword.
FortiOS v2.80 MR6 Removed buf f er _t o_di sk variable from f t p, ht t p, i map, pop3, and smt p keywords.
Added spamf ei p variable to i map, pop3, and smt p keywords.
Changed cont ent _l og variable to cont ent - ar chi ve for f t p, ht t p, i map, pop3,
and smt p keywords.
FortiOS v2.80 MR7 Changed spamf ei p variable to spamf si p for the FortiShield Antispam Service.
Added no- cont ent - summar y variable to f t p, ht t p, i map, pop3, and smt p keywords.
FortiOS v2.80 MR8 Added spamf sur l for the FortiShield spam filter URL blacklist to i map, pop3, and smt p
keywords.
122 01-30005-0015-20070803
profile firewall
Related topics
alertemail
spamfilter
antivirus
ips
webfilter
FortiOS v3.0 Added keywords for FortiGuard. New options added for f t p, ht t p, i map, pop3,
smt p, i map- spamt agt ype, pop3- spamt agt ype, smt p- spamt agt ype. Added
keywords for IM. Added new keywords for IPS. Added new keywords for logging. Added
smt p- spamhdr i p to profile. Added all IM and P2P options. Added client comforting and
oversize file commands. Added NNTP-related commands. Added list selection
commands for FortiGate units 800 and above.
FortiOS v3.0 MR3 Added new options avquer y and exempt wor d for http. Removed options
f i l eexempt , mai l _l og and spamf schksumfrom http, pop3 and imap.
Added new options ar chi ve- f ul l , ar chi ve- summar y and avquer y for imap,
pops, and aim. Removed options cont ent - ar chi ve and f i l eexempt from imap and
im.
FortiOS v3.0 MR4 Added no- cont ent - summar y to AIM, ICQ, MSN, and Yahoo options. Removed
t r ansf er - l og, from the same commands as it is not a feature.
FortiOS v3.0 MR4 Added VoIP config commands for SCCP, Si mpl e, and SI P protocols.
Added associ at ed- i nt er f ace, nnt pover si zel i mi t , i mover si zechat ,
l og- voi p, l og- voi p- vi ol at i ons, and HTTPS commands.
Removed the following options and commands: nnt p- spamact i on, nnt p-
spamt agt ype, nnt p- spamt agmsg.
Added set smt p- spam- l ocal over r i de command.
01-30005-0015-20070803 123
schedule onetime
Use this command to add, edit, or delete one-time schedules.
Use scheduling to control when policies are active or inactive. Use one-time schedules for policies that
are effective once for the period of time specified in the schedule.
edi t <name_st r >
set end <hh: mm> <yyyy/ mm/ dd>
set st ar t <hh: mm> <yyyy/ mm/ dd>
end
Example
Use the following example to add a one-time schedule named Hol i day that is valid from 5:00 pm on
3 September 2004 until 8:45 am on 7 September 2004.
edi t Hol i day
set st ar t 17: 00 2004/ 09/ 03
set end 08: 45 2004/ 09/ 07
end
Command history
Related topics
Note: To edit a schedule, define the entire schedule, including the changes. This means entering all of the
schedule parameters, both those that are changing and those that are not.
name_st r The name of this schedule. No default
end <hh: mm> <yyyy/ mm/ dd> The ending day and time of the schedule.
hh - 00 to 23
mm- 00, 15, 30, or 45
yyyy - 1992 to infinity
mm- 01 to 12
dd - 01 to 31
No default.
st ar t <hh: mm>
<yyyy/ mm/ dd>
The starting day and time of the schedule.
hh - 00 to 23
mm- 00, 15, 30, or 45
yyyy - 1992 to infinity
mm- 01 to 12
dd - 01 to 31
No default.
124 01-30005-0015-20070803
schedule recurring firewall
schedule recurring
Use this command to add, edit, and delete recurring schedules used in firewall policies.
Use scheduling to control when policies are active or inactive. Use recurring schedules to create
policies that repeat weekly. Use recurring schedules to create policies that are effective only at
specified times of the day or on specified days of the week.
edi t <name_st r >
set day <name_st r >
set end <hh: mm>
set st ar t <hh: mm>
end
Example
This example shows how to add a recurring schedule named access so that it is valid Monday to
Friday from 7:45 am to 5:30 pm.
edi t access
set day monday t uesday wednesday t hur sday f r i day
set st ar t 07: 45
set end 17: 30
end
Edit the recurring schedule named access so that it is no longer valid on Fridays.
edi t access
set day monday t uesday wednesday t hur sday
set st ar t 07: 45
set end 17: 30
end
Note: If a recurring schedule is created with a stop time that occurs before the start time, the schedule starts at the
start time and finishes at the stop time on the next day. Use this technique to create recurring schedules that run
from one day to the next. Also create a recurring schedule that runs for 24 hours by setting the start and stop
times to the same time.
name_st r The name of this schedule. No default
day <name_st r > Enter the names of one or more days of the week for which the
schedule is valid. Separate names by a space.
No default.
end <hh: mm> The ending time of the schedule.
hh can be 00 to 23
mmcan be 00, 15, 30, or 45 only
00:00
st ar t <hh: mm> The starting time of the schedule.
hh can be 00 to 23
mmcan be 00, 15, 30, or 45 only
00:00
01-30005-0015-20070803 125
Command history
Related topics
126 01-30005-0015-20070803
service custom firewall
service custom
Use this command to add, edit, or delete custom firewall services.
Add a custom service to create a policy for a service that is not in the predefined service list.
edi t <name_st r >
set t cppor t r ange <dst por t l ow_i nt eger >[ - <dst por t hi gh_i nt eger >:
<sr cpor t l ow_i nt eger >- <sr cpor t hi gh_i nt eger >]
set udppor t r ange <dst por t l ow_i nt eger >[ - <dst por t hi gh_i nt eger >:
<sr cpor t l ow_i nt eger >- <sr cpor t hi gh_i nt eger >]
set i cmpcode <code_i nt eger >
set i cmpt ype <t ype_i nt eger >
set pr ot ocol {I CMP | I P | TCP/ UDP}
set pr ot ocol - number <pr ot ocol _i nt eger >
end
name_st r The name of this custom service. No default
t cppor t r ange
<dst por t l ow_i nt eger >[ -
<dst por t hi gh_i nt eger >:
<sr cpor t l ow_i nt eger >-
<sr cpor t hi gh_i nt eger >]
For TCP services, enter the destination and source port ranges
If the destination port range can be any port, enter 1- 65535. If
the destination is only a single port, simply enter a single port
number for dst por t l ow_i nt eger and no value for
dst por t hi gh_i nt eger .
If source port can be any port, no source port need be added. If
the source port is only a single port, simply enter a single port
number for sr cpor t l ow_i nt eger and no value for
sr cpor t hi gh_i nt eger .
No default.
udppor t r ange
<dst por t l ow_i nt eger >[ -
<dst por t hi gh_i nt eger >:
<sr cpor t l ow_i nt eger >-
<sr cpor t hi gh_i nt eger >]
For UDP services, enter the destination and source port ranges
If the destination port range can be any port, enter 1- 65535. If
the destination is only a single port, simply enter a single port
number for dst por t l ow_i nt eger and no value for
dst por t hi gh_i nt eger .
If source port can be any port, no source port need be added. If
the source port is only a single port, simply enter a single port
number for sr cpor t l ow_i nt eger and no value for
sr cpor t hi gh_i nt eger .
No default.
i cmpcode <code_i nt eger > Enter the ICMP code number. Find ICMP type and code
numbers at www.iana.org.
No default.
i cmpt ype <t ype_i nt eger > Enter the ICMP type number. The range for t ype_i nt eger is
from 0-255. Find ICMP type and code numbers at
www.iana.org.
No default.
pr ot ocol
{I CMP | I P | TCP/ UDP}
Enter the protocol used by the service. No default.
pr ot ocol - number
<pr ot ocol _i nt eger >
For an IP service, enter the Internet protocol number. Find
Internet protocol numbers at www.iana.org.
No default.
firewall service custom
01-30005-0015-20070803 127
Example
This example shows how to add a custom service called Cust om_1. The service destination port
range is TCP 4501 to 4503. The service can use any source port.
edi t Cust om_1
set pr ot ocol TCP/ UDP
set t cppor t r ange 4501- 4503
end
A second example shows how to add a custom service called Cust om_2. The service destination port
range is TCP 4545 to 4550. The service uses source port 9620.
edi t Cust om_1
set pr ot ocol TCP/ UDP
set t cppor t r ange 4545- 4550: 9620
end
Command history
Related topics
FortiOS v3.00 The por t r ange command split into t cppor t r ange and
udppor t r ange.
128 01-30005-0015-20070803
service group firewall
service group
Use this command to add, edit, or delete firewall service groups.
To make it easier to add policies, create groups of services and then add one policy to provide or block
access for all the services in the group. A service group can contain predefined services and custom
services in any combination. A service group cannot be added to another service group.
edi t <gr oup- name_st r >
set member <name_st r > [ <name_st r > [ <name_st r > . . . ] ]
end
Example
This example shows how to add a service group called web_Ser vi ces that includes the FTP, HTTP,
HTTPS, and Real Audio services.
edi t web_Ser vi ces
set member FTP HTTP HTTPS RAUDI O
end
This example shows how to add the TELNET service to the web_Ser vi ces service group.
edi t web_Ser vi ces
set member FTP HTTP HTTPS RAUDI O TELNET
end
Command history
Related topics
Note: To edit a service group, enter all of the members of the service group, both those changing and those
staying the same.
gr oup- name_st r The name of this service group. No default
member <ser vi ce- name_st r >
[ <ser vi ce- name_st r >
[ <ser vi ce- name_st r > . . . ] ]
Enter the names, separated by spaces, of the predefined and
custom firewall services to add to the service group. To view the
list of available services enter set member ? at the prompt.
<ser vi ce_st r >is case-sensitive.
No default.
firewall service predefined
01-30005-0015-20070803 129
service predefined
Use this command to retrieve information about predefined services.
The following information is available:
destination port
source port
ICMP code
ICMP type
protocol
protocol-number
get f i r ewal l ser vi ce pr edef i ned <ser vi ce_name>
Example output
For t i gat e- 200A # get f i r ewal l ser vi ce pr edef i ned FTP
name : FTP
i cmpcode :
i cmpt ype :
pr ot ocol : TCP/ UDP
pr ot ocol - number : 6
t cppor t - r ange : 21- 21: 0- 65535
udppor t - r ange :
For t i gat e- 200A # get f i r ewal l ser vi ce pr edef i ned SI P
name : SI P
i cmpcode :
i cmpt ype :
t cppor t - r ange :
udppor t - r ange : 5060- 5060: 0- 65535
For t i gat e- 200A # get f i r ewal l ser vi ce pr edef i ned AOL
name : AOL
i cmpcode :
i cmpt ype :
t cppor t - r ange : 5190- 5194: 0- 65535
udppor t - r ange :
130 01-30005-0015-20070803
vip firewall
vip
Use this command to add, edit, or delete virtual IPs.
Virtual IPs can be used to allow connections through a FortiGate unit using network address
translation (NAT) firewall policies. Virtual IPs use Proxy ARP so that the FortiGate unit can respond to
ARP requests on a network for a server that is actually installed on another network. Proxy ARP is
defined in RFC 1027.
For example, you can add a virtual IP to an external FortiGate unit interface so that the external
interface can respond to connection requests for users who are actually connecting to a server on the
DMZ or internal network.
Virtual IP ranges can be of almost any size and can translate addresses to different subnets. Virtual IP
ranges have the following restrictions:
The mapped IP cannot include 0.0.0.0 or 255.255.255.255
The external IP cannot be 0.0.0.0 if the virtual IP type is static NAT and is mapped to a range of
IP addresses. Only load balance virtual IPs, and static NAT virtual IPs mapped to a single IP
address, support an external IP of 0.0.0.0
Port mapping maps a range of external port numbers to a range of internal port numbers. The
number of ports in these two ranges must be equal. Therefore, the external port must not be set
so that its range exceeds 65535. For example, an internal range of 20 ports mapped from the
external port 65530 is invalid as the last port in the range would be 65550.
When port forwarding, the external IP range can not include any interface IP addresses
The mapped IP range must not include any interface IP addresses
Virtual IP name cannot be the same as any address names, or address group names
No duplicate entries or overlapping ranges are permitted
You can create different kinds of virtual IPs, each of which can be used for a different destination NAT
(DNAT) variation.
Static NAT Static NAT virtual IPs map an external IP address or IP address range on a source network to
a mapped IP address or IP address range on a destination network.
Static NAT virtual IPs use one to one mapping. A single external IP address is mapped to a
single mapped IP address. A range of external IP addresses is mapped to a corresponding
range of mapped IP addresses. A given IP address in the source address range is always
mapped to the same IP address in the destination address range.
Static NAT Port
Forwarding
Static NAT port forwarding, maps a single IP address or address range and a single port
number or a range of port numbers on one network to a different single IP address or address
range and a different single port number or range of port numbers on another network.
Static NAT port forwarding is also just called port forwarding. Static NAT port forwarding virtual
IPs use one to one mapping. A range of external IP addresses is mapped to a corresponding
range of mapped IP addresses and a range of external port numbers is mapped to a
corresponding range of mapped port numbers.
Port forwarding virtual IPs can be used to configure the FortiGate unit for port address
translation (PAT).
Load Balancing Also called dynamic port forwarding. A load balancing virtual IP maps a single IP address on
one network to an IP address range on another network.
Load balancing uses a one to many mapping and a load balancing algorithm to randomly
select the destination IP address from the IP address range.
Load Balancing
port forwarding
A load balancing with port forwarding virtual IP maps a single IP address and port number on
one network to a range of IP addresses and a range of port numbers on another network.
Load balancing port forwarding uses a one to many load balancing algorithm to randomly
select the destination IP address from the IP address range and also randomly selects the
destination port from the destination port number range.
Dynamic virtual
IPs
If you set the external IP address of a virtual IP to 0.0.0.0 you create a dynamic virtual IP in
which any external IP address is translated to the mapped IP address or IP address range.
firewall vip
01-30005-0015-20070803 131
edi t <name_st r >
conf i g r eal ser ver s
edi t <t abl e_i d>
set dead- i nt er val
set heal t hcheck
set i p
set pi ng- det ect
set por t
set wake- i nt er val
set wei ght
end
set ext i nt f <name_st r >
set ext i p <addr ess_i pv4>
set ext por t <por t _i nt eger >
set l db- met hod {r ound- r obi n | st at i c | wei ght ed}
set mappedi p <st ar t _i pv4>[ - <end_i pv4>]
set mappedpor t <por t _i nt eger >
set por t f or war d {enabl e | di sabl e}
set pr ot ocol {t cp | udp}
set t ype {l oad- bal ance | ser ver - l oad- bal ance | st at i c- nat }
end
Server Load
Balancing
The FortiGate unit will load balance using only the addresses you specify.
At least one real address must be added to use this feature.
A maximum of 8 real servers can be added.
Server Load
Balancing port
forwarding
Server load balancing with port forwarding maps a single IP address and port number on one
network to up to 8 specific server addresses and 8 specific ports on another network.
Note: Virtual IPs are not available or required in transparent mode.
name_st r The name of this virtual IP address. No default
ext i nt f <name_st r > The name of the interface connected to the source network
that receives the packets to be forwarded to the destination
network. name_st r can be any FortiGate interface, VLAN
subinterface, or IPSec VPN interface.
No default.
ext i p <addr ess_i pv4> The external IP address that you want to map to an address
on the destination network.
If you want to configure a static NAT virtual IP that maps a
range of external IP addresses to a range of destination IP
addresses, set ext i p to the first IP address in the range.
Then set mappedi p to the start and end of the destination IP
address range. The FortiGate unit automatically calculates
the end of the ext i p IP address range.
To configure a dynamic virtual IP that accepts connections for
any IP address, set ext i p to 0.0.0.0.
0. 0. 0. 0
132 01-30005-0015-20070803
vip firewall
ext por t <por t _i nt eger > The external port number that you want to map to a port
number on the destination network.
If you want to configure a static NAT virtual IP that maps a
range of external port numbers to a range of destination port
numbers, set ext i p to the first port number in the range.
Then set mappedpor t to the start and end of the destination
port range. The FortiGate unit automatically calculates the
end of the ext por t port number range.
To configure a dynamic virtual IP that accepts connections for
any port, set ext por t to 0.
0
mappedi p
<st ar t _i pv4>[ - <end_i pv4>]
The real IP address on the destination network to which the
external IP address is mapped.
You can enter an address range to forward packets to multiple
IP addresses on the destination network.
For a static NAT virtual IP, if you add a mapped IP address
range the FortiGate unit calculates the external IP address
range.
0. 0. 0. 0
mappedpor t <por t _i nt eger > The port number on the destination network to which the
external port number is mapped.
You can also enter a port number range to forward packets to
multiple ports on the destination network.
For a static NAT virtual IP, if you add a map to port range the
FortiGate unit calculates the external port number range.
0
por t f or war d
Enable to configure a port forwarding virtual IP. If you enable
por t f or war d you can specify ext por t and mappedpor t .
di sabl e
pr ot ocol {t cp | udp} The protocol, TCP or UDP, to be used by the forwarded
packets.
t cp
t ype {l oad- bal ance |
ser ver - l oad- bal ance |
st at i c- nat }
The type of virtual IP to add or edit.
Enter l oad- bal ance to configure a load balancing virtual IP.
Enter ser ver - l oad- bal ance to select specific addresses
of real servers in your network
Enter st at i c- nat to configure a static NAT virtual IP.
st at i c- nat
These commands ar e f or ser ver - l oad- bal ance onl y
l db- met hod {r ound- r obi n |
st at i c | wei ght ed}
This selects the load balancing method used.
Round- r obi n: Directs request to the next server, and treats
all servers as equals regardless of response time or number
of connections. Dead servers or non responsive servers are
avoided. A separate server is required.
St at i c: The traffic load is spread evenly across all servers,
no additional server is required.
Wei ght ed: Servers with a higher weight value will receive a
larger percentage of connections at any one time. Server
weights can be set in conf i g r eal ser ver s set wei ght
st at i c
r eal ser ver s Use this command to configure the setting for using a real
server.
no def aul t
t abl e_i d The number used to identify the server that you are
configuring. 0 means the lowest available number.
no def aul t
dead- i nt er val The interval of time that a connection can remain idle before it
is dropped. A range of 10-255 seconds can be used.
10
heal t hcheck Enable this feature to check the status of the server before
forwarding the session.
di sabl e
i p Address of a real server in your network. 0. 0. 0. 0
pi ng- det ect Enable this to use ping to test the server status. Healthcheck
must be enabled before using ping-detect.
di sabl e
por t Used to specify the port used if port forwarding is enabled. 10
firewall vip
01-30005-0015-20070803 133
Example
This example shows how to add a static NAT virtual IP named Web_Ser ver that allows users on the
Internet to connect to a web server on the internal network. The internet address of the web server is
64.32.21.34 and the real IP address of the web server on the internal network is 192.168.1.44.
edi t Web_Ser ver
set ext i nt f ext er nal
set ext i p 64. 32. 21. 34
set mappedi p 192. 168. 1. 44
end
This example shows how to edit the static NAT virtual IP named Web_Ser ver to change the real IP
address of the web server on the internal network to 192.168.110.23.
edi t web_Ser ver
set mappedi p 192. 168. 110. 23
end
This example shows how to add a static NAT port forwarding virtual IP that uses port address
translation to allow external access to a web server on the internal network if there is no separate
external IP address for the web server. In this example, the IP address of the external interface is
192.168.100.99 and the real IP address of the web server on the internal network is 192.168.1.93.
edi t web_Ser ver
set por t f or war d enabl e
set ext i nt f ext er nal
set ext i p 192. 168. 100. 99
set ext por t 80
set mappedi p 192. 168. 1. 93
set mappedpor t 80
end
This example shows how to enter a static NAT virtual IP named Ser ver _Range that allows Internet
users to connect to a range of 10 virtual IP addresses on the Internet and have the IP addresses in this
range mapped to a range of IP addresses on the DMZ network. The DMZ network contains 10 servers
with IP addresses from 10.10.10.20 to 10.10.10.29. The Internet IP addresses for these servers are in
the range 219.34.56.10 to 219.34.56.19. In this example you do not have to enter the external IP
address range. Instead you enter the first IP address in the external IP address range and the
FortiGate unit calculates the end of the IP address range based on the number of IP addresses
defined by the mapped IP address range. Also in the example, port2 is connected to the Internet.
edi t Ser ver _Range
set ext i nt f por t 2
set ext i p 219. 34. 56. 10
set mappedi p 10. 10. 10. 20 10. 10. 10. 19
end
wake- i nt er val The interval of time the connection will try to detect a server
before giving up. A range of 10-255 seconds can be used.
10
wei ght Determines the weight value of a specific server. The high the
weight value, the higher the percentage of connections the
server will handle. A range of 1-255 can be used.
1
134 01-30005-0015-20070803
vip firewall
This example shows how to enter a load balancing virtual IP named Ext _Load_Bal ance that allows
Internet users to connect to a single virtual IP address on the Internet and have that IP address
mapped to a range of IP addresses on the network connected to port5. You might use a configuration
such as this to load balance connections from the internet to an internal server farm. In the example
the Internet is connected to port2 and the virtual IP address is 67.34.56.90 and the IP address range
on the network connected to port5 is 172.20.120.10 to 172.20.120.30.
edi t Ser ver _Range
set t ype l oad- bal ance
set ext i nt f por t 2
set ext i p 67. 34. 56. 90
set mappedi p 172. 20. 120. 10- 172. 20. 120. 30
end
Command history
Related topics
FortiOS v3.00 Added ser ver - l oad- bal ance to set type.
FortiOS v3.0
MR4
Added the following commands and options: conf i g r eal ser ver .
firewall vipgrp
01-30005-0015-20070803 135
vipgrp
You can create virtual IP groups to facilitate firewall policy traffic control. For example, on the DMZ
interface, if you have two email servers that use Virtual IP mapping, you can put these two VIPs into
one VIP group and create one external-to-DMZ policy, instead of two policies, to control the traffic.
conf i g f i r ewal l vi pgr p
edi t <gr oup_name>
set *i nt er f ace {ext er nal | i nt er nal | por t 1 | por t 2 | por t 3 |
por t 4/ HA}
set *member
end
Example
conf i g f i r ewal l vi pgr p
edi t gr oup_one
set member vi pone vi pt wo vi pt hr ee
end
Command history
Related topics
vip
gr oup_name The name of the vip group to be configured. No default
*i nt er f ace {ext er nal
| i nt er nal | por t 1 |
por t 2 | por t 3 |
por t 4/ HA}
The interface that the group will use. No default
*member Members of the vip group. Members should be added all in one
line.
No default
FortiOS v3.0
MR4
Command vi pgr p added.
136 01-30005-0015-20070803
vipgrp firewall
gui
01-30005-0015-20070803 137
gui
This chapter covers the commands to restore web-based manager CLI console and topology viewer.
console
topology
138 01-30005-0015-20070803
console gui
console
Use this command to configure the web-based manager CLI console.
set pr ef er ences <f i l edat a>
end
To obtain base-64 encoded data from a configured CLI console, use:
show gui consol e
Example
This example shows how to upload the data file (topguifile) containing commands to set up the
topology GUI on the FortiGate unit and the background image (backgroundfile).
set pr ef er ences pr ef - f i l e
end
Command history
Variables Description Default
pr ef er ences <f i l edat a> Base64-encoded file to upload containing the commands to
set up the CLI console GUI on the FortiGate unit.
FortiOS v3.00 MR5 New.
gui topology
01-30005-0015-20070803 139
topology
Use this command to configure the web-based manager topology viewer.
set backgr ound- i mage <f i l edat abackgr ound>
set dat abase <f i l edat abase>
set pr ef er ences <f i l edat apr ef >
end
To obtain base-64 encoded data from a configured topology viewer, use:
show gui t opol ogy
Example
This example shows how to upload the data file (topguifile) containing commands to set up the
topology GUI on the FortiGate unit and the background image (backgroundfile).
set pr ef er ences t opgui f i l e
set backgr ound- i mage backgr oundf i l e
end
Command history
backgr ound- i mage
<f i l edat abackgr ound>
Base64-encoded file to upload containing the commands to
set up the background image of the web-based manager
topology viewer.
dat abase <f i l edat abase> Base64-encoded file to upload containing the data used to set
up the web-based manager topology viewer.
pr ef er ences <f i l edat apr ef > Base64-encoded file to upload containing the commands to
set the preferences of the web-based manager topology
viewer.
140 01-30005-0015-20070803
topology gui
imp2p
01-30005-0015-20070803 141
imp2p
Use imp2p commands to configure user access to Instant Messaging and Person-to-Person
applications, and to configure a global policy for unknown users who might use these applications.
aim-user
icq-user
msn-user
old-version
policy
yahoo-user
142 01-30005-0015-20070803
aim-user imp2p
aim-user
Use this command to permit or deny a specific user the use of AOL Instant Messenger.
conf i g i mp2p ai m- user
edi t <name_st r >
set act i on {per mi t | deny}
end
Example
This example shows how to add user_1 and permit the user to use the AIM protocol if the policy is set
to allow AOL Instant Messenger.
conf i g i mp2p ai m- user
edi t user _1
set act i on per mi t
end
Command history
Related topics
imp2p icq-user
imp2p msn-user
imp2p old-version
imp2p policy
imp2p yahoo-user
name_st r The name of the AIM user.
act i on {per mi t | deny} Permit or deny the use of AOL Instant Messenger by this user. deny
FortiOS v3.0 New
imp2p icq-user
01-30005-0015-20070803 143
icq-user
Use this command to permit or deny a specific user the use of ICQ Instant Messenger.
conf i g i mp2p i cq- user
edi t <name_st r >
end
Example
This example shows how to add user_1 and permit the user to use the ICQ protocol if the policy is set
to allow ICQ Instant Messenger.
conf i g i mp2p i cq- user
edi t user _1
end
Command history
Related topics
imp2p aim-user
imp2p msn-user
imp2p old-version
imp2p policy
imp2p yahoo-user
name_st r The name of the ICQ user.
act i on {per mi t | deny} Permit or deny the use of the ICQ Instant Messenger by this
user.
deny
FortiOS v3.0 New
144 01-30005-0015-20070803
msn-user imp2p
msn-user
Use this command to permit or deny a specific user the use of MSN Messenger.
conf i g i mp2p msn- user
edi t <name_st r >
end
Example
This example shows how to add user_1 and permit the user to use the MSN protocol if the policy is set
to allow MSN Messenger.
conf i g i mp2p msn- user
edi t user _1
end
Command history
Related topics
imp2p aim-user
imp2p icq-user
imp2p old-version
imp2p policy
imp2p yahoo-user
name_st r The name of the MSN user.
act i on {per mi t | deny} Permit or deny the use of MSN Messenger by this user. deny
FortiOS v3.0 New
imp2p old-version
01-30005-0015-20070803 145
old-version
Some older versions of IM protocols are able to bypass file blocking because the message types are
not recognized. The following command provides the option to disable these older IM protocol
versions. Supported IM protocols include:
MSN 6.0 and above
ICQ 4.0 and above
AIM 5.0 and above
Yahoo 6.0 and above
conf i g i mp2p ol d- ver si on
set ai m{bl ock | best - ef f or t }
set i cq {bl ock | best - ef f or t }
set msn {bl ock | best - ef f or t }
set yahoo {bl ock | best - ef f or t }
end
Example
This example shows how to block older versions of MSN Messenger and inspect older versions of
Yahoo Messenger.
conf i g i mp2p ol d- ver si on
set msn bl ock
set yahoo best - ef f or t
end
Command history
Related topics
imp2p aim-user
imp2p icq-user
imp2p msn-user
imp2p policy
imp2p yahoo-user
ai m{bl ock | best - ef f or t } Enter bl ock to block the session if the version is too old.
Enter best - ef f or t to inspect the session based on the
policy.
block
i cq {bl ock | best - ef f or t } Enter bl ock to block the session if the version is too old.
policy.
block
msn {bl ock | best - ef f or t } Enter bl ock to block the session if the version is too old.
policy.
block
yahoo
{bl ock | best - ef f or t }
Enter bl ock to block the session if the version is too old.
policy.
block
FortiOS v3.0 New
146 01-30005-0015-20070803
policy imp2p
policy
Use this command to create a global policy for instant messenger applications. If an unknown user
attempts to use one of the applications, the user can either be permitted use and added to a white list,
or be denied use and added to a black list.
conf i g i mp2p pol i cy
set ai m{al l ow | deny}
set i cq {al l ow | deny}
set msn {al l ow | deny}
set yahoo {al l ow | deny}
end
Example
This example shows how to configure the IM/P2P policy to allow AOL Instant Messenger, MSN
Messenger, and Yahoo Messenger but deny ICQ Instant Messenger.
conf i g i mp2p pol i cy
set ai mal l ow
set msn al l ow
set i cq deny
set yahoo al l ow
end
Command history
Related topics
imp2p aim-user
imp2p icq-user
imp2p msn-user
imp2p old-version
imp2p yahoo-user
ai m{al l ow | deny} Allow an unknown user and add the user to the white list.
Deny an unknown user and add the user to the black list.
deny
i cq {al l ow | deny} Allow an unknown user and add the user to the white list.
deny
msn {al l ow | deny} Allow an unknown user and add the user to the white list.
deny
yahoo {al l ow | deny} Allow an unknown user and add the user to the white list.
deny
FortiOS v3.0 New
imp2p yahoo-user
01-30005-0015-20070803 147
yahoo-user
Use this command to permit or deny a specific user the use of Yahoo Messenger.
conf i g i mp2p yahoo- user
edi t <name_st r >
end
Example
This example shows how to add user_1 and permit the user to use the Yahoo protocol if the policy is
set to allow Yahoo Messenger.
conf i g i mp2p yahoo- user
edi t user _1
end
Command history
Related topics
imp2p aim-user
imp2p icq-user
imp2p msn-user
imp2p old-version
imp2p policy
name_st r The name of the Yahoo user.
act i on {per mi t | deny} Permit or deny the use of Yahoo Messenger by this user. deny
FortiOS v3.0 New
148 01-30005-0015-20070803
yahoo-user imp2p
ips
01-30005-0015-20070803 149
ips
Use ips commands to configure actions taken on anomalies and signatures, create custom signatures,
and group signatures into groups.
This option is only available in Transparent mode.
anomaly
custom
global
group
Note: If the IPS test cant find the destination MAC address, the peer interface will be used. To ensure
packets get IPS inspection, there must be a Peer Interface. Both interfaces must be in the same VDOM,
and one interface cannot be both the peer and original interface. For information on how to set the Peer
Interface see interface on page 346.
150 01-30005-0015-20070803
anomaly ips
anomaly
The FortiGate IPS uses anomalies to identify network traffic that does not fit known or preset traffic
patterns. The FortiGate IPS identifies the four statistical anomaly types for the TCP, UDP, and ICMP
protocols.
Enable or disable logging for each anomaly, and control the IPS action in response to detecting an
anomaly. In many cases, configure the thresholds the anomaly uses to detect traffic patterns that could
represent an attack.
The list of anomalies can be updated only when the FortiGate firmware image is upgraded.
The conf i g i ps anomal y command has 1 subcommand.
config limit
Access the conf i g l i mi t subcommand using the conf i g i ps anomal y <name_st r >
command. Use this command for session control based on source and destination network address.
This command is available for t cp_sr c_sessi on, t cp_dst _sessi on, i cmp_sr c_sessi on,
i cmp_dst _sessi on, udp_sr c_sessi on, udp_dst _sessi on.
The def aul t entry cannot be edited. Addresses are matched from more specific to more general. For
example, if thresholds are defined for 192.168.100.0/24 and 192.168.0.0/16, the address with the 24
bit netmask is matched before the entry with the 16 bit netmask.
conf i g i ps anomal y <name_st r >
set act i on {cl ear - sessi on | dr op | dr op- sessi on | pass | pass- sessi on |
r eset | r eset - cl i ent | r eset - ser ver }
set l og {enabl e | di sabl e}
set t hr eshol d <t hr eshol d_i nt eger >
conf i g l i mi t
edi t <l i mi t _st r >
set dst - i p 
set ser vi ce <por t - num>
set sr c- i p 
set t hr eshol d <t hr eshol d_i nt eger >
end
end
get i ps anomal y <name_st r >
Flooding If the number of sessions targeting a single destination in one second is over a threshold, the
destination is experiencing flooding.
Scan If the number of sessions from a single source in one second is over a threshold, the source is
scanning.
Source session
limit
If the number of concurrent sessions from a single source is over a threshold, the source
session limit is reached.
Destination
session limit
If the number of concurrent sessions to a single destination is over a threshold, the destination
session limit is reached.
Note: It is important to estimate the normal and expected traffic on the network before changing the default
anomaly thresholds. Setting the thresholds too low could cause false positives, and setting the thresholds too high
could miss some attacks.
ips anomaly
01-30005-0015-20070803 151
name_st r The name of the anomaly.
act i on
{cl ear - sessi on | dr op
| dr op- sessi on | pass
| pass- sessi on | r eset
| r eset - cl i ent
| r eset - ser ver }
Select an action for the FortiGate unit to take when traffic
triggers this anomaly. If logging is enabled, the action appears
in the status field of the log message generated by the anomaly.
cl ear - sessi on
The FortiGate unit drops the packet that triggered the
anomaly, removes the session from the FortiGate session
table, and does not send a reset.
dr op
anomaly. Fortinet recommends using an action other than
dr op for TCP connection based attacks.
dr op- sessi on
anomaly and drops any other packets in the same session.
pass
The FortiGate unit lets the packet that triggered the anomaly
pass through the firewall. If logging is disabled and action is
set to Pass, the anomaly is effectively disabled.
pass- sessi on
The FortiGate unit lets the packet that triggered the anomaly
and all other packets in the session pass through the firewall.
r eset
anomaly, sends a reset to both the client and the server, and
removes the session from the FortiGate session table. Used
for TCP connections only. If this action is set for non-TCP
connection based attacks, the action behaves as
cl ear - sessi on. If the Reset action is triggered before the
TCP connection is fully established it acts as
cl ear - sessi on.
r eset - cl i ent
anomaly, sends a reset to the client, and removes the session
from the FortiGate session table. Used for TCP connections
only. If this action is set for non-TCP connection based
attacks, the action behaves as cl ear - sessi on. If the
r eset - cl i ent action is triggered before the TCP
connection is fully established it acts as cl ear - sessi on.
r eset - ser ver
anomaly, sends a reset to the server, and removes the
session from the FortiGate session table. Used for TCP
connections only. If this action is set for non-TCP connection
based attacks, the action behaves as cl ear - sessi on. If the
r eset - ser ver action is triggered before the TCP
connection is fully established it acts as cl ear - sessi on.
Varies.
def aul t - act i on {cl ear -
sessi on | dr op
| dr op- sessi on | pass
| pass- sessi on | r eset
| r eset - cl i ent
| r eset - ser ver }
The default action for the anomaly. This option is get only.
def aul t - sever i t y {i nf o |
cr i t i cal }
The default severity level for the anomaly. This option is get
only.
cr i t i cal
l og {enabl e | di sabl e} Enable or disable logging for the anomaly. If logging is enabled,
the action appears in the status field of the log message
generated by the anomaly.
enabl e
152 01-30005-0015-20070803
anomaly ips
Examples
This example shows how to change the t cp_l and anomaly configuration.
conf i g i ps anomal y t cp_l and
set act i on pass
set l og enabl e
end
This example shows how to change the i cmp_f l ood anomaly configuration.
conf i g i ps anomal y i cmp_f l ood
set act i on dr op
set l og enabl e
set t hr eshol d 1024
end
Use the following command to configure the limit for the t cp_sr c_sessi on anomaly.
conf i g i ps anomal y t cp_sr c_sessi on
conf i g l i mi t
edi t subnet 1
set i paddr ess 1. 1. 1. 0 255. 255. 255. 0
set t hr eshol d 300
end
end
Use the following command to get information about the anomaly syn_flood.
get i ps anomal y syn_f l ood
sever i t y {i nf o | l ow |
medi um| hi gh | cr i t i cal }
This option is get only. No default
st at us {enabl e | di sabl e} Enable or disable this anomaly. enabl e
t hr eshol d
<t hr eshol d_i nt eger >
For the anomalies that include the t hr eshol d setting, traffic
over the specified threshold triggers the anomaly.
Varies.
The keywor ds bel ow ar e speci f i c t o t he conf i g l i mi t command.
l i mi t _st r The name of the limit.
dst - i p The ip address and netmask of the destination network. No default.
ser vi ce <por t - num> The port number used by the anomaly within the limit.
sr c- i p The ip address and netmask of the source network.
t hr eshol d
Set the threshold that triggers this anomaly within the defined
limit.
No default.
ips anomaly
01-30005-0015-20070803 153
name : syn_f l ood
st at us : enabl e
sever i t y : cr i t i cal
def aul t - sever i t y : cr i t i cal
l og : enabl e
act i on : cl ear - sessi on
def aul t - act i on : cl ear - sessi on
l i mi t :
== [ def aul t ]
name: def aul t
Command history
Related topics
ips custom
ips global
ips group
ips fail-open {enable | disable}
FortiOS v3.0 Added sever i t y, def aul t - act i on, and def aul t - sever i t y.
FortiOS v3.0
MR5
Under the conf i g l i mi t command, set i paddr ess was removed.
dst - i p, ser vi ce, and sr c- i p commands were added.
154 01-30005-0015-20070803
custom ips
custom
Create custom IPS signatures and add them to a single Custom signature group.
Custom signatures provide the power and flexibility to customize the FortiGate IPS for diverse network
environments. The FortiGate predefined signatures cover common attacks. If an unusual or
specialized application or an uncommon platform is being used, add custom signatures based on the
security alerts released by the application and platform vendors.
Use custom signatures to block or allow specific traffic.
After adding the custom signature, configure the settings for it under the signature group named
cust om. For more information on configuring signature groups, see ips group on page 157.
For more information on custom signature syntax see the FortiGate IPS Custom Signatures Technical
Bulletin.
conf i g i ps cust om
edi t <si g_name>
set si gnat ur e < si gnat ur e_st r >
end
Example
This example shows how to add a custom signature for ICMP packets set to type 10.
conf i g i ps cust om
edi t I CMP10
set si gnat ur e ' F- SBI D( - - pr ot ocol i cmp; - - i cmp_t ype 10; - - r evi si on 2; ) '
end
Command history
Related topics
ips global
ips group
execute backup
execute restore
Note: Custom signatures are an advanced feature. This document assumes the user has previous experience
writing intrusion detection signatures.
si g_name The name of the custom signature.
si gnat ur e
< si gnat ur e_st r >
Enter the custom signature. The signature must be enclosed in
single quotes.
No default.
ips global
01-30005-0015-20070803 155
global
Use this command to ignore sessions after a set amount of traffic has passed.
conf i g i ps gl obal
set f ai l - open {enabl e | di sabl e}
set anomal y- mode {cont i nuous | per i odi cal }
set engi ne- count 
set i gnor e- sessi on- byt es <byt e_i nt eger >
set i p- pr ot ocol {enabl e | di sabl e}
set sessi on- l i mi t - mode {accur at e | heur i st i c}
set socket - si ze 
set t r af f i c- submi t {enabl e | di sabl e}
end
get i ps gl obal
Example
This example shows how to set the IPS to ignore sessions after 204800 bytes.
conf i g i ps gl obal
set i gnor e- sessi on- byt es 204800
end
anomal y- mode {cont i nuous
| per i odi cal }
Enter continuous to start blocking packets once attack starts.
Enter periodical to allow configured number of packets per
second.
continuous
engi ne- count Enter a number of engines to count. 0 is recommended. 0
f ai l - open
If for any reason the IPS should cease to function, it will fail open
by default. This means that crucial network traffic will not be
blocked and the Firewall will continue to operate while the
problem is resolved.
enable
i gnor e- sessi on- byt es
<byt e_i nt eger >
Set the number of bytes after which the session is ignored. 204800
i p- pr ot ocol
Enter one of the following:
di sabl e
only TCP, UDP and ICMP packets are processed by IPS
signatures.
enabl e
other protocols in addition to TCP, UDP, and ICMP are
processed by IPS signatures.
di sabl e
sessi on- l i mi t - mode
{accur at e | heur i st i c}
Enter accurate to accurately count the concurrent sessions. This
option demands more resource. Enter heuristic to heuristically
count the concurrent sessions.
heur i st i
c
socket - si ze

Set IPS buffer size. The default value is correct in most cases. model-
dependent
t r af f i c- submi t
Submit attack characteristics to FortiGuard Service disable
156 01-30005-0015-20070803
global ips
This example shows how to see the current configuration of ips global.
# get i ps gl obal
anomal y- mode : cont i nuous
engi ne- count : 0
f ai l - open : enabl e
i gnor e- sessi on- byt es: 204800
i p- pr ot ocol : di sabl e
sessi on- l i mi t - mode : heur i st i c
socket - si ze : 8 ( MB)
t r af f i c- submi t : di sabl e
Command History
Related topics
ips group
execute backup
execute restore
FortiOS v3.0 New.
FortiOS v3.0 MR4 Merged get i ps gl obal including example.
ips group
01-30005-0015-20070803 157
group
The FortiGate IPS matches network traffic against patterns contained in attack signatures. Attack
signatures reliably protect the network from known attacks. Fortinets FortiGuard infrastructure
ensures the rapid identification of new threats and the development of new attack signatures.
Configure the FortiGate unit to automatically check for and download an updated attack definition file
containing the latest signatures, or manually download the updated attack definition file. Also configure
the FortiGate unit to allow push updates of updated attack definition files as soon as they are available
from the FortiGuard Distribution Network. For details, see system autoupdate schedule on page 306
and execute update-av on page 562.
When the FortiGate unit installs an updated attack definition file, it checks to see if the default
configuration for any existing signatures has changed. If the default configuration has changed, the
changes are preserved.
Disabling unneeded signatures can improve system performance and reduce the number of log
messages and alert emails that the IPS generates. For example, the IPS detects a large number of
web server attacks. If there is no web server behind the FortiGate unit, disable all web server attack
signatures.
You can use the conf i g i ps gr oup command to list signatures in groups based on the type of
attack.
For each signature, configure the action the FortiGate IPS takes when it detects an attack. The
FortiGate IPS can pass, drop, reset or clear packets or sessions. Also enable or disable logging of the
attack.
The conf i g i ps gr oup command has 1 subcommand.
config rule <rule-name_str>
Access the r ul e subcommand using the i ps gr oup command. Use the config rule subcommand to
configure the settings for individual signatures in a signature group.
conf i g i ps gr oup <gr oup_name_st r >
conf i g r ul e <r ul e_name_st r >
set act i on {cl ear _sessi on | dr op | dr op_sessi on | pass | pass_sessi on
| r eset | r eset _cl i ent | r eset _ser ver }
set l og_packet {enabl e | di sabl e}
conf i g exempt - i p
edi t <name_st r >
set dst - i p <cl ass_i p&net _net mask>
set sr c- i p <cl ass_i p&net _net mask>
end
end
158 01-30005-0015-20070803
group ips
gr oup_name_st r The name of the signature group.
r ul e_name_st r The name of the rule.
act i on {cl ear _sessi on
| dr op | dr op_sessi on
| pass | pass_sessi on
| r eset | r eset _cl i ent
| r eset _ser ver }
Select an action for the FortiGate unit to take when traffic
triggers this signature. If logging is enabled, the action appears
in the status field of the log message generated by the
signature.
cl ear _sessi on
signature, removes the session from the FortiGate session
table, and does not send a reset.
dr op
signature. Fortinet recommends using an action other than
dr op for TCP connection based attacks.
dr op_sessi on
signature and drops any other packets in the same session.
pass
The FortiGate unit lets the packet that triggered the signature
pass through the firewall. If logging is disabled and action is
set to Pass, the signature is effectively disabled.
pass_sessi on
The FortiGate unit lets the packet that triggered the signature
and all other packets in the session pass through the firewall.
r eset
signature, sends a reset to both the client and the server, and
removes the session from the FortiGate session table. Used
for TCP connections only. If this action is set for non-TCP
connection based attacks, the action behaves as
cl ear _sessi on. If the r eset action is triggered before the
TCP connection is fully established it acts as
cl ear _sessi on.
r eset _cl i ent
signature, sends a reset to the client, and removes the
based attacks, the action behaves as cl ear _sessi on. If the
r eset _cl i ent action is triggered before the TCP
connection is fully established it acts as cl ear _sessi on.
r eset _ser ver
signature, sends a reset to the server, and removes the
based attacks, the action behaves as cl ear _sessi on. If the
r eset _ser ver action is triggered before the TCP
connection is fully established it acts as cl ear _sessi on.
Varies.
appl i cat i on This option is get only.
def aul t _act i on
{cl ear _sessi on | dr op
| dr op_sessi on | pass
| pass_sessi on | r eset
| r eset _cl i ent
| r eset _ser ver }
The default action for the rule. This option is get only.
def aul t _sever i t y {i nf o |
cr i t i cal }
The default severity level for the rule. This option is get only. cr i t i cal
ips group
01-30005-0015-20070803 159
Examples
This example shows how to change the action for the Newt ear signature in the dos signature group
to drop.
conf i g i ps gr oup DoS
conf i g r ul e Newt ear
set act i on dr op
end
end
Use the following command to get information about the rule Echo.Reply.
conf i g i ps gr oup i cmp
( i cmp) # conf i g r ul e Echo. Repl y
( Echo. Repl y) # get
name : Echo. Repl y
act i on : pass
act i on( def aul t ) : pass
appl i cat i on : OTHER
exempt - i p:
l ocat i on :
l og : enabl e
l og- packet : di sabl e
os : OTHER
r ev : 2. 136
r ul e- i d : 17956886
ser vi ce : OTHER
sever i t y( def aul t ) : i nf o
l og {enabl e | di sabl e} Enable or disable logging for the signature. If logging is
enabled, the action appears in the status field of the log
message generated by the signature.
enabl e
l og_packet {enabl e |
di sabl e}
Enable or disable packet logging. di sabl e
l ocat i on This option is get only.
os This option is get only.
r ev <r ev_i nt eger > The revision number of the rule. This option is get only. 0
r ul e- i d Unique number used to identify the rule within the FortiOS
database. This option is get only.
ser vi ce This option is get only.
The severity level for the rule. l ow
st at us {enabl e | di sabl e} Enable or disable this signature. enabl e
st at us ( def aul t ) This option is get only.
The f ol l owi ng keywor ds ar e speci f i c t o t he conf i g exempt - i p command.
name_st r Name of the host you want to exempt from IPS signatures No default
exempt - i p Option to exclude hosts from IPS signatures No default
dst - i p
<cl ass_i p&net _net mask>
Destination IP and netmask 0. 0. 0. 0
0. 0. 0. 0
sr c- i p
Source IP and netmask 0. 0. 0. 0
0. 0. 0. 0
160 01-30005-0015-20070803
group ips
st at us : di sabl e
st at us( def aul t ) : di sabl e
Command history
Related topics
ips anomaly
execute update-av
ips global
FortiOS v3.0 Add sever i t y, def aul t _act i on, and def aul t _sever i t y to
rule.
FortiOS v3.0 MR4 added rule Over si zed. Echo. Request . Packet and exempt - i p
log
01-30005-0015-20070803 161
log
Use the conf i g l og commands to set the logging type, the logging severity level, and the logging
location for the FortiGate unit.
{disk | fortianalyzer | memory | syslogd | webtrends |
fortiguard}filter
disk setting
fortianalyzer setting
fortiguard setting
memory setting
syslogd setting
webtrends setting
trafficfilter
report customization
report definition
report filter
report output
report period
report schedule
report scope
report selection
report summary-layout
162 01-30005-0015-20070803
{disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter log
{disk | fortianalyzer | memory | syslogd | webtrends | fortiguard}
filter
Use this command to configure log filter options. Log filters define the types of log messages sent to
each log location. Use the ? command to view each filter setting since not all filter settings display for
each device.
Filter settings include commands for multiple Syslog servers or multiple FortiAnalyzer units. For
example, conf i g l og f or t i anal yzer 2 f i l t er . See fortianalyzer setting on page 170 for more
information about configuring multiple FortiAnalyzer units, and syslogd setting on page 174 for more
information about configuring multiple Syslog servers.
When enabling filter settings for VoIP, also enable VoIP settings in a protection profile. VoIP calls
cannot be properly logged unless both filter and protection profile settings for VoIP are enabled. See
firewall on page 81 about enabling VoIP settings in a protection profile.
Filter settings for f or t i guar d are only available when FortiGuard Analysis Services is enabled. Filter
settings for di sk is available for FortiGate units with hard disks. FortiGuard Log & Analysis was
renamed to FortiGuard Analysis Services for FortiOS 3.0MR5.
conf i g l og {di sk | f or t i anal yzer | memor y | sysl ogd | webt r ends |
f or t i guar d} f i l t er
set admi n {di sabl e | enabl e}
set al l owed {di sabl e | enabl e}
set anomal y {di sabl e | enabl e}
set at t ack {di sabl e | enabl e}
set aut h {di sabl e | enabl e}
set bl ocked {di sabl e | enabl e}
set dhcp {di sabl e | enabl e}
set emai l {di sabl e | enabl e}
set emai l - l og- i map {di sabl e | enabl e}
set emai l - l og- pop3 {di sabl e | enabl e}
set emai l - l og- smt p {di sabl e | enabl e}
set event {di sabl e | enabl e}
set ha {di sabl e | enabl e}
set f t gd- wf - bl ock {di sabl e | enabl e}
set f t gd- wf - er r or s {di sabl e | enabl e}
set i m{di sabl e | enabl e}
set i m- al l {di sabl e | enabl e}
set i nf ect ed {di sabl e | enabl e}
set i psec {di sabl e | enabl e}
set ot her - t r af f i c {di sabl e | enabl e}
set over si zed {di sabl e | enabl e}
set pat t er n {di sabl e | enabl e}
set ppp {di sabl e | enabl e}
set sever i t y {al er t | cr i t i cal | debug | emer gency | er r or |
i nf or mat i on | not i f i cat i on | war ni ng}
set si gnat ur e {di sabl e | enabl e}
set ssl vpn- l og- adm{di sabl e | enabl e}
set ssl vpn- l og- aut h {di sabl e | enabl e}
set ssl vpn- l og- sessi on {di sabl e | enabl e}
set syst em{di sabl e | enabl e}
set t r af f i c {di sabl e | enabl e}
log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter
01-30005-0015-20070803 163
set ur l - f i l t er {di sabl e | enabl e}
set vi ol at i on {di sabl e | enabl e}
set vi r us {di sabl e | enabl e}
set voi p {di sabl e | enabl e}
set voi p- al l {di sabl e | enabl e}
set web {di sabl e | enabl e}
set web- cont ent {di sabl e | enabl e}
set web- f i l t er - act i vex {di sabl e | enabl e}
set web- f i l t er - appl et {di sabl e | enabl e}
set web- f i l t er - cooki e {di sabl e | enabl e}
end
admi n
Enable or disable logging all administrative events, such as user
logins, resets, and configuration updates in the event log. This
keyword is available when event is enabled.
enabl e
al l owed
Enable or disable logging all traffic that is allowed according to
the firewall policy settings in the traffic log. This keyword is
available when t r af f i c is enabled.
enabl e
anomal y
Enable or disable logging all detected and prevented attacks
based on unknown or suspicious traffic patterns, and the action
taken by the FortiGate unit in the attack log. This keyword is
available when at t ack is enabled.
enabl e
at t ack
Enable or disable the attack log. enabl e
aut h
Enable or disable logging all firewall-related events, such as user
authentication in the event log. This keyword is available when
event is enabled.
enabl e
bl ocked
Enable or disable logging all instances of blocked files. enabl e
dhcp
Enable or disable logging of DHCP service messages. enabl e
emai l
Enable or disable the spam filter log. enabl e
emai l - l og- i map
Enable or disable logging of spam detected in IMAP traffic.
emai l enabl e only.
enabl e
emai l - l og- pop3
Enable or disable logging of spam detected in POP3 traffic.
enabl e
emai l - l og- smt p
Enable or disable logging of spam detected in SMTP traffic.
enabl e
event
Enable or disable the event log. enabl e
ha
Enable or disable HA activity messages. enabl e
f t gd- wf - bl ock
Enable or disable logging of web pages blocked by FortiGuard
category filtering in the web filter log. This keyword is available
when web is enabled.
enabl e
f t gd- wf - er r or s
Enable or disable logging all instances of FortiGuard category
filtering rating errors. This keyword is available when web is
enabled.
enabl e
i m
Enable or disable logging of instant messages and Peer-to-Peer
(P2P) events.
enabl e
i m- al l
Enable or disable logging of instant messages. enabl e
164 01-30005-0015-20070803
i nf ect ed
Enable or disable logging of all virus infections in the antivirus
log. This keyword is available when vi r us is enabled.
enabl e
i psec
Enable or disable logging of IPSec negotiation events, such as
progress and error reports in the event log. This keyword is
available when event is enabled.
enabl e
ot her - t r af f i c
Enable or disable ICSA compliant logs. This setting is
independent from the t r af f i c setting. Traffic log entries include
generating traffic logs:
for all dropped ICMP packets
for all dropped invalid IP packets
for session start and on session deletion
This setting is not rate limited. A large volume of invalid packets
can dramatically increase the number of log entries.
di sabl e
over si zed
Enable or disable logging of oversized files in the antivirus log.
This keyword is available when vi r us is enabled.
enabl e
pat t er n
Enable or disable logging of all pattern update events, such as
antivirus and IPS pattern updates and update failures in the event
log. This keyword is available when event is enabled.
enabl e
ppp
Enable or disable logging of all L2TP, PPTP, and PPPoE-related
events, such as manager and socket creation processes, in the
event log. This keyword is available when event is enabled.
enabl e
sever i t y
{al er t | cr i t i cal | debug
| emer gency | er r or |
i nf or mat i on |
not i f i cat i on | war ni ng}
Select the logging severity level. The FortiGate unit logs all
messages at and above the logging severity level you select. For
example, if you select er r or , the unit logs er r or , cr i t i cal ,
al er t and emer gency level messages.
emer gency - The system is unusable.
al er t - Immediate action is required.
cr i t i cal - Functionality is affected.
er r or - An erroneous condition exists and functionality is
probably affected.
war ni ng - Functionality might be affected.
not i f i cat i on - Information about normal events.
i nf or mat i on - General information about system operations.
debug - Information used for diagnosing or debugging the
FortiGate unit.
i nf or ma
t i on
si gnat ur e
Enable or disable logging of detected and prevented attacks
based on the attack signature, and the action taken by the
FortiGate unit, in the attack log. This keyword is available when
at t ack is enabled.
enabl e
ssl vpn- l og- adm
Enable or disable logging of SSL-VPN administration. enabl e
ssl vpn- l og- aut h
Enable or disable logging of SSL-VPN user authentication. enabl e
ssl vpn- l og- sessi on
Enable or disable logging of SSL-VPN sessions. enabl e
syst em
Enable or disable logging of system activity messages. enabl e
t r af f i c
Enable or disable the traffic log. enabl e
ur l - f i l t er
Enable or disable logging of blocked URLs (specified in the URL
block list) in the web filter log. This keyword is available when
web is enabled.
enabl e
vi ol at i on
Enable or disable logging of all traffic that violates the firewall
policy settings in the traffic log. This keyword is available when
t r af i c is enabled.
enabl e
log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter
01-30005-0015-20070803 165
Example
This example shows how to set the logging severity level to warning, enable virus logging for infected
files, and enable event logging for anomaly and IPSec events.
conf i g l og di sk f i l t er
set sever i t y war ni ng
set vi r us enabl e
set i nf ect ed enabl e
set event enabl e
set anomal y enabl e
set i psec enabl e
end
Command history
vi r us
Enable or disable the antivirus log. enabl e
voi p
Enable or disable to log VoIP events. If enabling VoIP, also
enable VoIP settings in a protection profile. See firewall on
page 81 about enabling VoIP settings in a protection profile.
enabl e
voi p- al l
Enable or disable to log all subcategories of VoIP events. If
enabling VoIP, also enable VoIP settings in a protection profile.
See firewall on page 81 about enabling VoIP settings in a
protection profile.
enabl e
web
Enable or disable the web filter log. enabl e
web- cont ent
Enable or disable logging of blocked content (specified in the
banned words list) in the web filter log. This keyword is available
when web is enabled.
enabl e
web- f i l t er - act i vex
Enable or disable the logging of Active X block messages enabl e
web- f i l t er - appl et
Enable or disable the logging of java applet block messages enabl e
web- f i l t er - cooki e
Enable or disable the logging of cookie block messages enabl e
FortiOS v2.8 MR2 Removed emai l _cont ent keyword.
Added emai l _l og_i map, emai l _l og_pop3, and emai l _l og_smt p keywords.
FortiOS v3.0 cat - moni t or , exempt and cont ent - keywor ds commands removed.
ur l - bl ock command renamed to ur l - f i l t er .
cat - bl ock and cat - er r or s commands renamed to f t gd- wf - bl ock and f t gd- wf -
er r or s respectively.
New keywords i m, i m- al l and ssl vpn- aut h, ssl vpn- adm, ssl vpn- sessi on,
web- f i l t er - act i vex, web- f i l t er - appl et and web- f i l t er - cooki e added.
FortiOS v3.0MR4 Added the FortiGuard Log & Analysis command, f or t i guar d for configuring the filter
settings for the FortiGuard Log & Analysis server. Also added VoIP commands.
166 01-30005-0015-20070803
Related topics
log fortianalyzer setting
log memory setting
log syslogd setting
log webtrends setting
log trafficfilter
log report definition
firewall
log disk setting
01-30005-0015-20070803 167
disk setting
Use this command to configure log settings for logging to the local disk. Disk logging is only available
for FortiGate units with an internal hard disk. You can also use this command to configure the
FortiGate unit to upload current log files to an FTP server every time the log files are rolled.
set max- l og- f i l e- si ze 
set r ol l - schedul e {dai l y | weekl y}
set r ol l - t i me <hh: mm>
set di skf ul l {nol og | over wr i t e}
set upl oad {enabl e | di sabl e}
set upl oad- dest i nat i on {f or t i anal yzer | f t p- ser ver }
set upl oadi p <cl ass_i p>
set upl oadpor t <por t _i nt eger >
set upl oaduser <user _st r >
set upl oadpass <passwd>
set upl oaddi r <di r _name_st r >
set upl oadt ype {at t ack event i mspamf i l t er t r af f i c vi r us voi p
webf i l t er }
set upl oadzi p {di sabl e | enabl e}
set upl oadsched {di sabl e | enabl e}
set upl oadt i me <t i me_i nt eger >
set upl oad- del et e- f i l es {enabl e | di sabl e}
set dr i ve- st andby- t i me <0- 19800>
end
st at us
Enter enable to enable logging to the local disk. di sabl e
max- l og- f i l e- si ze

Enter the maximum size of the log file (in MB) that is saved to
the local disk.
When the log file reaches the specified maximum size, the
FortiGate unit saves the current log file and starts a new active
log file. The default maximum log file size 1 MB and the
maximum log file size allowed is 1024MB.
100
r ol l - schedul e
{dai l y | weekl y}
Enter the frequency of the log rolling. When set, the FortiGate
unit will roll the log event if the maximum size has not been
reached.
dai l y
r ol l - t i me
<hh: mm>
Enter the time of day, in the format hh:mm, when the FortiGate
unit saves the current log file and starts a new active log file.
00: 00
di skf ul l
{nol og | over wr i t e}
Enter the action to take when the local disk is full. When you
enter nol og, the FortiGate unit will stop logging, and
over wr i t e will begin overwriting the oldest file once the local
disk is full.
over wr i t e
168 01-30005-0015-20070803
disk setting log
Example
This example shows how to enable logging to the local disk, set the action to stop logging when the
disk is full, log files have a maximum size of 300MB, roll log files daily and start a new one at 1:30pm
every day.
upl oad
Enable or disable uploading log files to a remote directory.
Enable upl oad to upload log files to an FTP server whenever
a log file rolls.
Use the upl oaddi r , upl oadi p, upl oadpass, upl oadpor t ,
and upl oaduser keywords to add this information required to
connect to the FTP server and upload the log files to a specific
location on the server.
Use the upl oadt ype keyword to select the type of log files to
upload.
Use the upl oad- del et e- f i l es keyword to delete the files
from the hard disk once the FortiGate unit completes the file
transfer.
All upl oad keywords are available after enabling the upload
command.
di sabl e
upl oad- dest i nat i on
{f or t i anal yzer | f t p-
ser ver }
Select to upload log files directly to a FortiAnalyzer unit or to an
FTP server. When you select to upload log files directly to a
FortiAnalyzer unit, you can also schedule when to upload the
log files, when the log file rolls, and so on.
di sabl e
upl oadi p
<cl ass_i p>
Enter the IP address of the FTP server. 0. 0. 0. 0
upl oadpor t
<por t _i nt eger >
Enter the port number used by the FTP server. The default port
is 21. Port 21 is the standard FTP port.
21
upl oaduser
<user _st r >
Enter the user account for the upload server. No default.
upl oadpass
<passwd>
Enter the password required to connect to the FTP server. No default
upl oaddi r
<di r _name_st r >
Enter the name of the path on the FTP server where the log
files will be transferred to. If you do not specify a remote
directory, the log files are uploaded to the root directory of the
FTP server.
No default
upl oadt ype
{at t ack event i m
spamf i l t er t r af f i c
vi r us voi p webf i l t er }
Select the log files to upload to the FTP server. You can enter
one or more of the log file types separated by spaces. Use a
space to separate the log file types. If you want to remove a log
file type from the list or add a log file type to the list, you must
retype the list with the log file type removed or added.
t r af f i c
event
spamf i l t er
vi r us
webf i l t er
voi p
i m
upl oadzi p
Enter enabl e to compress the log files after uploading to the
FTP server. If disable is entered, the log files are uploaded to
the FTP server in plain text format.
di sabl e
upl oadsched
Enable log uploads at a specific time of the day. When set to
disable, the FortiGate unit uploads the logs when the logs are
rolled.
di sabl e
upl oadt i me
<t i me_i nt eger >
Enter the time of day when the FortiGate unit uploads the logs.
The upl oadsched setting must first be set to enabl e.
0
upl oad- del et e- f i l es
Enable or disable the removal of the log files once the
FortiGate unit has uploaded the log file to the FTP server.
enabl e
dr i ve- st andby- t i me
<0- 19800>
Set the power management for the hard disk. Enter the number
of seconds, up to 19800. If there is no hard disk activity within
the defined time frame, the hard disk will spin down to conserve
energy. Setting the value to 0 disables the setting.
0
log disk setting
01-30005-0015-20070803 169
set di skf ul l nol og
set max- l og- f i l e- si ze 300
set r ol l - schedul e dai l y
set r ol l - t i me 01: 30
end
This example shows how to enable uploading the traffic log and content archive files to an FTP server.
The FTP server has the IP address 172.30.120.24, the user name is ftpone, the password is ftppass1,
and the directory on the FTP server is fortigate\login.
set upl oad enabl e
set upl oadi p 172. 30. 120. 24
set upl oaduser f t pone
set upl oadpass f t ppass1
set upl oadt ype t r af f i c cont ent
set upl oaddi r f or t i gat e\ l ogs
end
Command history
Related topics
log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard}filter
log memory setting
log syslogd setting
log trafficfilter
FortiOS v2.8 MR2 Removed f t ppasswd, f t pser ver , and f t puser keywords.
Added upl oad keyword.
Added upl oad, upl oaddi r , upl oadi p, upl oadpass, upl oadpor t , upl oadt ype,
and upl oaduser keywords.
FortiOS v3.0 Renamed keyword f i l esi ze to max- l og- f i l e- si ze.
Removed duration and unit keywords.
Added upl oad- del et e- f i l es command.
FortiOS v3.0MR2 Removed r ol l - day command.
FortiOS v3.0MR4 Additional log files new to FortiOS 3.0MR4 were added to upl oadt ype keyword, voi p
and i m.
FortiOS v3.0MR5 Removed the keyword, cont ent , from upl oadt ype command.
Added keyword, upl oad- dest i nat i on, for uploading log files to a FortiAnalyzer unit.
170 01-30005-0015-20070803
fortianalyzer setting log
Use this command to configure the FortiGate unit to send log files to a FortiAnalyzer unit. See
fortianalyzer, fortianalyzer2, fortianalyzer3 on page 320 to set the FortiAnalyzer configuration
settings.
FortiAnalyzer units are network appliances that provide integrated log collection, analysis tools and
data storage. Detailed log reports provide historical as well as current analysis of network and email
activity to help identify security issues and reduce network misuse and abuse.
Using the CLI, you can send logs to up to three different FortiAnalyzer units for maximum fail-over
protection of log data. After configuring logging to FortiAnalyzer units, the FortiGate unit will send the
same log packets to all configured FortiAnalyzer units. Additional FortiAnalyzer units are configured
using the f or t i anal yzer 2 and f or t i anal yzer 3 commands.
Use the mul t i - r epor t command to enable configuring FortiAnalyzer reports. By default,
mul t i - r epor t is disabled and only the default FortiAnalyzer report is available.
set st at us {di sabl e | enabl e}
set mul t i - r epor t {enabl e | di sabl e}
end
Example
This example shows how to enable logging to a FortiAnalyzer unit.
end
Command history
Note: The FortiAnalyzer CLI commands are not cumulative. Using a syntax similar to the following is not
valid:
conf i g l og f or t i anal yzer f or t i anal yzer 2 f or t i anal yzer 3 set t i ng
st at us {di sabl e | enabl e} Enter enabl e to enable logging to a FortiAnalyzer unit. di sabl e
mul t i - r epor t
Enter enabl e configuring of multiple reports. You need to
enable this command to configure any FortiAnalyzer reports.
di sabl e
FortiOS v2.80 New.
FortiOS v2.80 MR2 Added l ocal i d and psksecr et keywords.
FortiOS v3.0 Moved all FortiAnalyzer configuration keywords under conf i g syst emf or t i anal yzer .
Command includes up to three FortiAnalyzer units, f or t i anal yzer 2 and
f or t i anal yzer 3.
Changed FortiLog product name to FortiAnalyzer
FortiOS v3.0MR4 Added mul t i - r epor t keyword.
01-30005-0015-20070803 171
Related topics
system fortianalyzer, fortianalyzer2, fortianalyzer3
log memory setting
log syslogd setting
log trafficfilter
172 01-30005-0015-20070803
fortiguard setting log
fortiguard setting
Use this command for configuring FortiGuard Analysis Service settings. See the FortiGate
Administration Guide for more information about subscription-based FortiGuard Analysis Service,
including enabling logging to a FortiGuard Analysis server.
conf i g l og f or t i guar d set t i ng
set quot af ul l {nol og | over wr i t e}
end
Example
In this example, the FortiGate unit is logging to a FortiGuard Analysis server, and will stop logging
when the maximum storage space on the server is reached.
conf i g l og f or t i guar d set t i ng
set quot af ul l nol og
end
Command history
Related topics
{disk | fortianalyzer | memory | syslogd | webtrends | fortiguard}filter
Note: The f or t i guar d set t i ng command is only available when FortiGuard Analysis Service
subscription-based services are enabled. The storage space is a specified amount, and varies,
depending on the services requested.
quot af ul l {nol og |
over wr i t e}
Enter the action to take when the specified storage space on
the FortiGuard Analysis server is full. When you enter nol og,
the FortiGate unit will stop logging, and over wr i t e will
begin overwriting the oldest file.
over wr i t e
st at us {di sabl e | enabl e} Enter to enable the FortiGuard Analysis server. di sabl e
FortiOS v3.0MR4 New.
log memory setting
01-30005-0015-20070803 173
memory setting
Use this command to configure log settings for logging to the FortiGate system memory.
The FortiGate system memory has a limited capacity and only displays the most recent log entries.
Traffic logs are not stored in the memory buffer, due to the high volume of traffic information. After all
available memory is used, by default the FortiGate unit begins to overwrite the oldest messages. All
log entries are deleted when the FortiGate unit restarts.
set di skf ul l {bl ockt r af f i c | over wr i t e | nol og}
end
Example
This example shows how to enable logging to the FortiGate system memory, and configure the
FortiGate unit to stop logging when the log memory buffer is full.
set di skf ul l nol og
end
Command history
Related topics
log syslogd setting
log trafficfilter
di skf ul l {bl ockt r af f i c |
over wr i t e | nol og}
Enter the action to take when the memory is reaching its
capacity. nol og means the FortiGate unit will stop logging,
over wr i t e means the FortiGate unit will begin overwriting
the oldest file and bl ockt r af f i c means the FortiGate unit
will block traffic when the memory is full.
over wr i t e
st at us {di sabl e | enabl e} Enter enabl e to enable logging to the FortiGate system
memory.
di sabl e
FortiOS v3.0 Added di skf ul l keyword.
174 01-30005-0015-20070803
syslogd setting log
syslogd setting
Use this command to configure log settings for logging to a remote syslog server. You can configure
the FortiGate unit to send logs to a remote computer running a syslog server.
Using the CLI, you can send logs to up to three different syslog servers. Configure additional syslog
servers using sysl ogd2 and sysl ogd3 commands and the same keywords outlined below.
set csv {di sabl e | enabl e}
set f aci l i t y {al er t | audi t | aut h | aut hpr i v | cl ock | cr on | daemon |
f t p | ker nel | l ocal 0 | l ocal 1 | l ocal 2 | l ocal 3 | l ocal 4 | l ocal 5 |
l ocal 6 | l ocal 7 | l pr | mai l | news | nt p | sysl og | user | uucp}
set por t <por t _i nt eger >
set ser ver <addr ess_i pv4>
end
Note: Syslog CLI commands are not cumulative. Using a syntax similar to the following is not valid:
conf i g l og sysl ogd sysl ogd2 sysl ogd3 set t i ng
csv {di sabl e | enabl e} Enter enabl e to enable the FortiGate unit to produce the log in
Comma Separated Value (CSV) format. If you do not enable
CSV format the FortiGate unit produces plain text files.
di sabl e
f aci l i t y {al er t | audi t |
aut h | aut hpr i v | cl ock |
cr on | daemon | f t p |
ker nel | l ocal 0 | l ocal 1
| l ocal 2 | l ocal 3 |
l ocal 4 | l ocal 5 | l ocal 6
| l ocal 7 | l pr | mai l |
news | nt p | sysl og |
user | uucp}
Enter the facility type. f aci l i t y identifies the source of the log
message to syslog. You might want to change f aci l i t y to
distinguish log messages from different FortiGate units.
Available facility types are:
al er t : log alert
audi t : log audit
aut h: security/authorization messages
aut hpr i v: security/authorization messages (private)
cl ock: clock daemon
cr on: cron daemon performing scheduled commands
daemon: system daemons running background system
processes
f t p: File Transfer Protocol (FTP) daemon
ker nel : kernel messages
l ocal 0 l ocal 7: reserved for local use
l pr : line printer subsystem
mai l : email system
news: network news subsystem
nt p: Network Time Protocol (NTP) daemon
sysl og: messages generated internally by the syslog
daemon
l ocal 7
por t <por t _i nt eger > Enter the port number for communication with the syslog server. 514
ser ver <addr ess_i pv4> Enter the IP address of the syslog server that stores the logs. No default.
st at us {di sabl e | enabl e} Enter enabl e to enable logging to a remote syslog server. di sabl e
log syslogd setting
01-30005-0015-20070803 175
Example
This example shows how to enable logging to a remote syslog server, configure an IP address and
port for the server, and enable logging in CSV format.
set ser ver 220. 210. 200. 190
set por t 601
set csv enabl e
end
Command history
Related topics
log memory setting
log trafficfilter
FortiOS v2.80 MR3 Added al er t and audi t keywords for use with f aci l i t y keyword.
FortiOS v3.0 Command includes up to three syslog servers, sysl ogd2 and sysl ogd3.
176 01-30005-0015-20070803
webtrends setting log
webtrends setting
Use this command to configure log settings for logging to a remote computer running a NetIQ
WebTrends firewall reporting server.
FortiGate log formats comply with WebTrends Enhanced Log Format (WELF) and are compatible with
NetIQ WebTrends Security Reporting Center and Firewall Suite 4.1.
set ser ver <addr ess_i pv4>
end
Example
This example shows how to enable logging to and set an IP address for a remote WebTrends server.
set ser ver 220. 210. 200. 190
end
Command history
Related topics
log memory setting
log syslogd setting
log trafficfilter
ser ver <addr ess_i pv4> Enter the IP address of the WebTrends server that stores the
logs.
No default.
st at us {di sabl e | enabl e} Enter enabl e to enable logging to a WebTrends server. di sabl e
log trafficfilter
01-30005-0015-20070803 177
trafficfilter
Use this command to configure the following global settings for traffic logging:
resolve IP addresses to host names
display the port number or service (protocol) in the log message
set di spl ay {name | por t }
set r esol ve {di sabl e | enabl e}
end
The conf i g l og t r af f i cf i l t er command has 1 subcommand.
conf i g r ul e
Example
This example shows how to display the service name and enable resolving IP addresses to host
names in log messages.
set di spl ay name
set r esol ve enabl e
end
config rule
Access the r ul e subcommand using the l og t r af f i cf i l t er command.
Use the following commands to configure traffic filter rules based on source IP address, destination IP
address, and service (protocol).
conf i g r ul e
edi t <name_st r >
set dst <any_i p&any_net mask>
set ser vi ce <name_st r >
set sr c <cl ass_i p&net _net mask>
end
di spl ay {name | por t } Enter name to enable the display of the service name in the
traffic log messages. Enter por t to display the port number
used by traffic in traffic log messages.
por t
r esol ve
Enter enabl e to enable resolving IP addresses to host names
in traffic log messages.
di sabl e
178 01-30005-0015-20070803
trafficfilter log
Example
This example shows how to configure a traffic filter called TF_1, to configure the source and
destination IP and netmask, and to set the service to HTTP.
conf i g r ul e
edi t TF_1
set dst 220. 210. 200. 190 255. 255. 255. 0
set sr c 192. 168. 100. 1 255. 255. 255. 0
set ser vi ce HTTP
end
end
Command history
Related topics
log memory setting
log syslogd setting
dst <any_i p&any_net mask> Enter the destination IP address and netmask where you want
to filter traffic logs to.
0. 0. 0. 0
0. 0. 0. 0
ser vi ce <name_st r > Enter the service that you want to filter traffic logs. You can
choose from any of the predefined services listed and any
custom services you have configured. See firewall service
custom on page 126.
No default.
sr c
Enter the source IP address and netmask where you want to
filter traffic logs to.
0. 0. 0. 0
0. 0. 0. 0
log report customization
01-30005-0015-20070803 179
Use this command to customize your report with the company name, or to customize footers and
headers.
conf i g l og r epor t cust omi zat i on
set company <company_name>
set f oot er - opt i on {cust om| r epor t - t i t l e} <f oot er >
set header <header _name>
end
Example
This example shows how to customize the report with the company name XYN, along with a
customized footer and header for the report.
set descr i pt i on " A weekl y t r af f i c r epor t f or t he For t i Gat e- 60"
set t i t l e " Weekl y Repor t "
set f oot er XYN: Weekl y Repor t
set header XYN: Week of J une 21
end
Command history
Related topics
report filter
report output
report period
report schedule
report scope
report selection
company <company_name> Enter your company name to display on the report. No default
f oot er - opt i on {cust om|
r epor t - t i t l e} <f oot er >
Enter to display the report-title in the footers of the report,
or custom to customize the footers.
When customizing the footer, you can enter the footer
comment by using f oot er instead of entering
f oot er - opt i on cust om
r epor t - t i t l e
header <header _name> Enter a header for the report. No default
FortiOS v3.0 New for this release.
FortiOS v3.0MR5 Added f oot er for entering the footer comment without selecting f oot er - opt i on
cust om.
180 01-30005-0015-20070803
report definition log
report definition
Use this command to add information to the report, including the title of the report and a description of
what is contained in the report.
set descr i pt i on <r epor t _descr i pt i on>
set t i t l e <r epor t _t i t l e>
end
Example
This example shows how to set the report name and title.
set descr i pt i on " A weekl y t r af f i c r epor t f or t he For t i Gat e- 60"
set t i t l e " Weekl y Repor t "
end
Command history
Related topics
report filter
report output
report period
report schedule
report scope
report selection
descr i pt i on
<r epor t _descr i pt i on>
Enter a description for the report describing what the report
contains. Enclose the description in quotes. For example,
Thi s r epor t cont ai ns net wor k t r af f i c
st at i st i cs.
No default
t i t l e <r epor t _t i t l e> Enter a title for the report. If the title is more than one word,
enclose the title in quotes. For example, Net wor k Tr af f i c
St at i st i cs.
No default
log report filter
01-30005-0015-20070803 181
report filter
Use this command to view or remove information from a report to provide a more concise report. For
example, you only want reports on specific error messages, or you do not want include certain IP
address destinations.
conf i g l og r epor t f i l t er
set f i l t er - st r i ng <f i l t er _st r i ng>
end
Command history
Related topics
report definition
report output
report period
report schedule
report scope
report selection
f i l t er - st r i ng
<f i l t er _st r i ng>
Enter a filter string to define what is included in the report. No default
182 01-30005-0015-20070803
report output log
report output
Use this command to configure a file format for the report for email recipients, saved to the
FortiAnalyzer hard disk. Use this command to also configure the FortiAnalyzer unit to upload the report
files to an FTP server when completed.
conf i g addr esses
edi t addr ess <addr ess_st r >
set f r om<f r om_sender >
set ser ver <ser ver _i p>
next
end
set emai l {ht ml | pdf | r t f | t xt }
set emai l - at t achment - name <name_st r >
set emai l - body <st r i ng>
set emai l - subj ect <subj ect _st r >
set f i l e {ht ml | pdf | r t f | t xt }
set upl oad {enabl e | di sabl e}
set upl oad- del et e {enabl e | di sabl e}
set upl oaddi r <di r ect or y_st r >
set upl oad- gzi pped {enabl e | di sabl e}
set upl oad- i p 
set upl oad- passwor d <passwd_st r >
set upl oad- ser ver - t ype {FTP | SCP | SFTP}
set upl oaduser name <user name_st r >
end
edi t addr ess
<addr ess_st r >
Enter the email recipients for the FortiAnalyzer report. No default
set f r om<f r om_sender > Enter the senders email address. No default
set ser ver <ser ver _i p> Enter the server IP address. No default
emai l
{ht ml | pdf | r t f | t xt }
Select the file format for the FortiAnalyzer unit sends to the
email recipients.
No default
emai l - at t achment - name
<name_st r >
Enter the email output attachment name. No default
emai l - body
<st r i ng>
Enter the email output body. No default.
emai l - subj ect
<subj ect _st r >
Enter the emails subject for the subject line. No default
f i l e
{ht ml | pdf | r t f | t xt }
Select the file format the FortiAnalyzer saves to its hard disk. ht ml
upl oad {enabl e | di sabl e} Set whether the FortiAnalyzer unit uploads the report files to
an FTP server.
All upl oad keywords are available when upl oad is enabled.
di sabl e
upl oad- del et e
Enable or disable the removal of the log files once the
FortiGate unit has uploaded the log file to the FTP server.
di sabl e
upl oaddi r
<di r ect or y_st r >
Enter the target directory in the uploading server. For example,
the file is in d:\, so it would be d:\george_files_xyn2006.
No default
log report output
01-30005-0015-20070803 183
Example
This example shows how to set the report output to HTML and PDF formats.
set out put f i l e ht ml pdf
end
Command history
Related topics
report definition
report filter
report period
report schedule
report scope
report selection
upl oad- gzi pped
Enable or disable the compressing of the log files before
uploading to the FTP server. This keyword is available when
upl oad is enabled.
di sabl e
upl oad- ser ver - t ype
{FTP | SCP | SFTP}
Enter the upload server type. FTP
upl oad- i p Enter the IP address required to connect to the FTP server.
This keyword is available when upl oad is enabled.
No default
upl oad- passwor d
<passwd_st r >
Enter the password required to connect to the FTP server.
No default
upl oaduser name
<user name_st r >
Enter the user name required to connect to the FTP server.
No default
FortiOS v3.0MR2 Added the following keywords:
emai l - subj ect
upl oad- ser ver - t ype
upl oaddi r
184 01-30005-0015-20070803
report period log
report period
Use this command to select the time span for the report period or select a specific time frame. When
the FortiAnalyzer unit generates the report, it uses the log data found within the specified time period
only.
set t ype {l ast - 14- days | l ast - 2- weeks | l ast - 30- days | l ast - 7- days
| l ast - mont h | l ast - n- days | l ast - n- hour s | l ast - n- weeks | l ast -
quar t er | l ast week | ot her | t hi s- mont h | t hi s- quar t er | t hi s- week |
t hi s- year | t oday | yest er day}
end
Example
This example shows how to set the reporting period to the previous weeks data.
set t ype l ast - week
end
Command history
Related topics
report definition
report filter
report output
report schedule
report scope
report selection
t ype {l ast - 14- days |
l ast - 2- weeks | l ast - 30-
days | l ast - 7- days | l ast -
mont h | l ast - n- days |
l ast - n- hour s | l ast - n-
weeks | l ast - quar t er |
l ast week | ot her | t hi s-
mont h | t hi s- quar t er |
t hi s- week | t hi s- year |
t oday | yest er day}
Select a time period for the report. This command is required
before entering the end and start date for the report period.
The end and start date will not appear unless a type is
selected.
l ast - 7-
days
FortiOS v3.0MR2 The keyword l ast - n is no longer available.
log report schedule
01-30005-0015-20070803 185
report schedule
Use this command to set a schedule when the FortiAnalyzer unit generates the reports.
set t ype {dai l y | dat es | days | none}
set dat es {1- 31}
set days {mon | t ue | wed | t hu | f r i | sat | sun}
set t i me <hh: mm>
end
Example
This example shows how to set the report to run every Monday at 9:56.
set t ype days
set days mon
set t i me 09: 56
end
Command history
Related topics
report definition
report filter
report output
report period
report scope
report selection
t ype {dai l y | dat es |
days | none}
Select when the FortiAnalyzer unit initiates the report. With a
selection of none, the FortiAnalyzer administrator must start
the report manually from the FortiAnalyzer unit.
none
dat es {1- 31} Select the days of the month when the FortiAnalyzer unit runs
the report. Separate multiple dates with a space.
For example, set dat es 1 15 30.
No default
days {mon | t ue | wed |
t hu | f r i | sat | sun}
Select the days of the week when the FortiAnalyzer unit runs
the report. Separate multiple dates with a space.
For example, set days mon wed.
No default
t i me <hh: mm> Select the time of the day when the FortiAnalyzer unit runs the
report.
00: 00
186 01-30005-0015-20070803
report scope log
report scope
Use this command to select the type of results you would like to include in the report.
set audi t 
set excl ude- summar y {enabl e | di sabl e}
set i ncl ude- nodat a {enabl e | di sabl e}
set i ncl ude- summar y {enabl e | di sabl e}
set i ncl ude- t abl e- of - cont ent {enabl e | di sabl e}
set obf sucat e- user {enabl e | di sabl e}
set r esol ve- host {enabl e | di sabl e}
set r esol ve- ser vi ce {enabl e | di sabl e}
set r esul t {al l }
set t op1 {1- 30}
set t op2 {1- 30}
end
audi t Enter a number from 1 to 10000 to display the top number of
values in all audit reports.
100
excl ude- summar y
Enable to exclude summary information in the report. enabl e
i ncl ude- nodat a
Enable to include no summary information in the report. di sabl e
i ncl ude- summar y
Enable to include the summary information in the report. di sabl e
i ncl ude- t abl e- of - cont ent
Enable to include the table of contents in the report. di sabl e
obf sucat e- user
Enable to include obfsucate user group names in the report. di sabl e
r esol ve- host
Enable or disable the report to include actual user names
rather than IP addresses. IP aliases must be configured on the
FortiAnalyzer unit. For example, User One instead of
10.10.10.1
di sabl e
r esol ve- ser vi ce
Enable or disable the report to include names rather than port
numbers. For example, HTTP instead of port 80.
di sabl e
r esul t {al l } Set to include the results for all virtual domains al l
log report scope
01-30005-0015-20070803 187
Example
This example shows how to set the resolving of the host and service names in the report.
set r esol ve- host enabl e
set r esol ve- ser vi ce enabl e
end
Command history
Related topics
report definition
report filter
report output
report period
report schedule
report selection
t op1 {1- 30} For some report types, you can set the top ranked items for
the report. These reports have Top in their name, and will
always show only the top number of entries. For example,
report on the most active mail clients within the organization
rather than all mail clients. Enter the value for the first top
results.
Reports that do not include Top in their name will always
show all information. Changing the values for top field will not
affect these reports.
6
t op2 {1- 30} For some report types, you can set the top ranked items for
the report. These reports have Top in their name, and will
always show only the top number of entries. For example,
report on the most active mail clients within the organization
rather than all mail clients. Enter the value for the second top
results.
Reports that do not include Top in their name will always
show all information. Changing the values for top field will not
affect these reports.
3
FortiOS v3.0MR4 Added the following keywords:
excl ude- summar y
i ncl ude- summar y
i ncl ude- nodat a
i ncl ude- t abl e- of - cont ent s
obf sucat e- user
FortiOS v3.0MR5 Added the keyword, audi t .
188 01-30005-0015-20070803
report selection log
report selection
Use this command to select the reports to include within the report profile.
set sel ect i on <r epor t _cat egor y> [ <r epor t > <r epor t >. . . ]
end
For a list of report categories and reports, see the list in the command line interface.
Example
This example shows how to set the network activity report.
set net wor k- act i vi t y net - dat e- di r net - di r
end
Command history
Related topics
report definition
report filter
report output
report period
report schedule
report scope
sel ect i on
<r epor t _cat egor y>
[ <r epor t > <r epor t >. . . ]
Select the report types to include. No default
log report summary-layout
01-30005-0015-20070803 189
Use this command to customize the summary reports.
conf i g l og r epor t summar y- l ayout
set summar y- col umn {1 | 2 | 3 | 4}
conf i g summar y- r epor t s
edi t name <sum_cat egor y> [ <sum_r epor t > <sum_r epor t >. . . ]
set or der 
set st yl e {bar | l i ne | pi e}
set t opN 
end
Example
In this example, the number of columns in the summary layout is three. There are four summary
reports included in this report, the summary protocol distribution, total viruses detected, total spam
activity, and total web filter activity. The summary report, total viruses detected, will come first and all
summary reports will be pie charts.
conf i g l og r epor t summar y- l ayout
set summar y- col umn 3
conf i g summar y- r epor t s
edi t name sum- pr ot o
set or der 4
set st yl e pi e
set t opN 5
next
edi t name sum- t v
set or der 1
set st yl e pi e
set t opN 5
next
edi t name sum- mf
set or der 2
set st yl e pi e
set t opN 5
next
summar y- col umn
{1 | 2 | 3 | 4}
Select a number for the number of columns included in the
summary layout.
2
summar y- r epor t s Enter to configure and edit summary reports. No default
name <sum_cat egor y>
[ <sum_r epor t >
<sum_r epor t >. . . ]
Select a report name to configure and edit. Enter ent er
name to view all summary reports so you can choose which
one to configure and edit.
No default.
or der Enter a number to specify the display order of query in report. 100
st yl e {bar | l i ne | pi e} Select the style for the summary report. bar
t opN Enter a number to show the top values of the first variable in
Ranked Reports. The maximum value is 100.
1- 10
190 01-30005-0015-20070803
report summary-layout log
edi t name sum- wf
set or der 3
set st yl e pi e
set t opN 5
end
end
Command history
Related topics
report definition
report filter
report output
report period
report schedule
report scope
FortiOS v3.0MR4 New for this release.
router
01-30005-0015-20070803 191
router
Routers move packets from one network segment to another towards a network destination. When a
packet reaches a router, the router uses data in the packet header to look up a suitable route on which
to forward the packet to the next segment. The information that a router uses to make routing decisions
is stored in a routing table. Other factors related to the availability of routes and the status of the
network may influence the route selection that a router makes when forwarding a packet to the next
segment.
The FortiGate unit supports many advanced routing functions and is compatible with industry standard
Internet routers. The FortiGate unit can communicate with other routers to determine the best route for
a packet.
The following r out er commands are available to configure options related to FortiGate router
communications and packet forwarding:
access-list
aspath-list
bgp
community-list
key-chain
multicast
ospf
policy
prefix-list
rip
route-map
static
static6
192 01-30005-0015-20070803
access-list router
access-list
Use this command to add, edit, or delete access lists. Access lists are filters used by FortiGate routing
processes. For an access list to take effect, it must be called by a FortiGate routing process (for
example, a process that supports RIP or OSPF).
Each rule in an access list consists of a prefix (IP address and netmask), the action to take for this
prefix (permit or deny), and whether to match the prefix exactly or to match the prefix and any more
specific prefix.
The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of
the list. If it finds a match for the prefix, it takes the action specified for that prefix. If no match is found
the default action is deny.
conf i g r out er access- l i st
edi t <access_l i st _name>
conf i g r ul e
edi t <access_l i st _i d>
set act i on {deny | per mi t }
set exact - mat ch {enabl e | di sabl e}
set pr ef i x { <pr ef i x_i pv4mask> | any }
set wi l dcar d <addr ess_i pv4> <wi l dcar d_mask>
end
end
Note: The default route, 0.0.0.0/0 can not be exactly matched with an access-list. A prefix-list must be
used for this purpose. See prefix-list on page 242.
Note: The act i on and pr ef i x keywords are required. The exact - mat ch keyword is optional.
edi t <access_l i st _name> Enter a name for the access list. An access list and a
prefix list cannot have the same name.
No default.
config rule variables
edi t <access_l i st _i d> Enter an entry number for the rule. The number must be
an integer.
No default.
act i on {deny | per mi t } Set the action to take for this prefix. per mi t
exact - mat ch {enabl e | di sabl e} By default, access list rules are matched on the prefix or
any more specific prefix. Enable exact - mat ch to match
only the configured prefix.
di sabl e
pr ef i x {
<pr ef i x_i pv4mask> | any }
Enter the prefix for this access list rule, either:
Type the IP address and network mask.
Type any to match any prefix.
any
wi l dcar d <addr ess_i pv4>
<wi l dcar d_mask>
Enter the IP address and reverse (wildcard) mask to
process. The value of the mask (for example,
0. 0. 255. 0) determines which address bits to match. A
value of 0 means that an exact match is required, while a
binary value of 1 indicates that part of the binary network
address does not have to match. You can specify
discontinuous masks (for example, to process even or
odd networks according to any network address octet).
For best results, do not specify a wi l dcar d attribute
unless pr ef i x is set to any.
No default.
router access-list
01-30005-0015-20070803 193
Example
This example shows how to add an access list named acc_l i st 1 with two rules. The first rule denies
the subnet that exactly matches the prefix 192. 168. 50. 0 255. 255. 255. 0 and permits all other
subnets that match the prefix 192. 168. 0. 0 255. 255. 0. 0.
edi t acc_l i st 1
conf i g r ul e
edi t 1
set pr ef i x 192. 168. 50. 0 255. 255. 255. 0
set act i on deny
set exact - mat ch enabl e
next
edi t 2
set pr ef i x 192. 168. 0. 0 255. 255. 0. 0
set exact - mat ch di sabl e
end
end
The next example shows how to add an access list that permits all subnets matching network address
10.20.4.1 through 10.20.4.255 (addresses 10.20.4.x are processed):
edi t acc_l i st 2
conf i g r ul e
edi t 1
set wi l dcar d 10. 20. 4. 0 0. 0. 0. 255
end
end
The next example shows how to add an access list that permits odd subnets according to the third-
octet of network address 172.16.x.0 (networks 172.16.1.0, 172.16.3.0, 172.16.5.0, and so on are
processed):
edi t acc_l i st 3
conf i g r ul e
edi t 1
set wi l dcar d 172. 16. 1. 0 0. 0. 254. 0
end
end
Command history
Related topics
router ospf
router prefix-list
router rip
FortiOS v2.80 New.
FortiOS v3.0 Added wi l dcar d attribute. Changed exact _mat ch keyword to exact - mat ch.
194 01-30005-0015-20070803
aspath-list router
aspath-list
Use this command to set or unset BGP AS-path list parameters. By default, BGP uses an ordered list
of Autonomous System (AS) numbers to describe the route that a packet takes to reach its destination.
A list of AS numbers is called an AS path. You can filter BGP routes using AS path lists.
When the FortiGate unit receives routing updates from other autonomous systems, it can perform
operations on updates from neighbors and choose the shortest path to a destination. The shortest path
is determined by counting the number of AS numbers in the AS path. The path that has the least
number of AS numbers is considered the shortest AS path.
Use the conf i g r out er aspat h- l i st command to define an access list that examines the
AS_PATH attributes of BGP routes to match routes. Each entry in the AS-path list defines a rule for
matching and selecting routes based on the setting of the AS_PATH attribute. The default rule in an AS
path list (which the FortiGate unit applies last) denies the matching of all routes.
conf i g r out er aspat h- l i st
edi t <aspat h_l i st _name>
conf i g r ul e
edi t <as_r ul e_i d>
set r egexp <r egexp_st r >
end
end
Example
This example shows how to create an AS-path list named ebgp_i n. The list contains a single rule that
permits operations on BGP routes whose AS_PATH attribute references an AS number of 333, 334,
338, or 71. The AS path list will match routes that originate in AS 333, AS 334, AS 338, or AS 71.
conf i g r out er aspat h- l i st
edi t ebgp_i n
conf i g r ul e
edi t 1
set r egexp _( 333| 334| 338| 71) $
end
end
Note: The act i on and r egexp keywords are required.
edi t <aspat h_l i st _name> Enter a name for the AS path list. No default.
edi t <as_r ul e_i d> Enter an entry number for the rule. The number must be an
integer.
No default.
act i on {deny | per mi t } Deny or permit operations on a route based on the value of
the routes AS_PATH attribute.
No default.
r egexp <r egexp_st r > Specify the regular expression that will be compared to the
AS_PATH attribute (for example, ^730$).
The value is used to match AS numbers. Delimit a complex
r egexp_st r value using double-quotation marks.
Null.
router aspath-list
01-30005-0015-20070803 195
Command history
Related topics
router bgp
router community-list
Using route maps with BGP
router key-chain
FortiOS v3.0 New.
196 01-30005-0015-20070803
bgp router
bgp
Use this command to set or unset BGP-4 routing parameters. BGP can be used to perform Classless
Interdomain Routing (CIDR) and to route traffic between different autonomous systems or domains
using an alternative route if a link between a FortiGate unit and a BGP peer (such as an ISP router)
fails. Fortinet BGP-4 complies with RFC 1771 and supports IPv4 addressing.
When BGP is enabled, the FortiGate unit sends routing table updates to the upstream ISP router
whenever any part of the routing table changes. The update advertises which routes can be used to
reach the FortiGate unit. In this way, routes are made known from the border of the internal network
outwards (routes are pushed forward) instead of relying on upstream routers to propagate alternative
paths to the FortiGate unit.
FortiGate BGP supports the following extensions to help manage large numbers of BGP peers:
Communities The FortiGate unit can set the COMMUNITY attribute of a route to assign the route
to predefined paths (see RFC 1997). The FortiGate unit can examine the COMMUNITY attribute of
learned routes to perform local filtering and/or redistribution.
Internal BGP (IBGP) route reflectors The FortiGate unit can operate as a route reflector or
participate as a client in a cluster of IBGP peers (see RFC 1966).
External BGP (EBGP) confederations The FortiGate unit can operate as a confederation
member, using its AS confederation identifier in all transactions with peers that are not members of
its confederation (see RFC 3065).
Bi-directional Forwarding Detection (BFD) is a protocol used by BGP and OSPF. It is used to quickly
locate hardware failures in the network. Routers running BFD communicate with each other, and if a
timer runs out on a connection then that router is declared down. BFD then communicates this
information to the routing protocol and the routing information is updated. BFD support was added in
FortiOS v3.0 MR4, and can only be configured through the CLI.
conf i g r out er bgp
set al ways- compar e- med {enabl e | di sabl e}
set as <l ocal _as_i d>
set best pat h- aspat h- i gnor e {enabl e | di sabl e}
set best pat h- cmp- conf ed- aspat h {enabl e | di sabl e}
set best pat h- cmp- r out er i d {enabl e | di sabl e}
set best pat h- med- conf ed {enabl e | di sabl e}
set best pat h- med- mi ssi ng- as- wor st {enabl e | di sabl e}
set cl i ent - t o- cl i ent - r ef l ect i on {enabl e | di sabl e}
set cl ust er - i d <addr ess_i pv4>
set conf eder at i on- i dent i f i er <peer i d_i nt eger >
set dampeni ng {enabl e | di sabl e}
set dampeni ng- max- suppr ess- t i me <mi nut es_i nt eger >
set dampeni ng- r eachabi l i t y- hal f - l i f e <mi nut es_i nt eger >
set dampeni ng- r euse <r euse_i nt eger >
set dampeni ng- r out e- map <r out emap- name_st r >
set dampeni ng- suppr ess <l i mi t _i nt eger >
set dampeni ng- unr eachabi l i t y- hal f - l i f e <mi nut es_i nt eger >
set def aul t - l ocal - pr ef er ence <pr ef er ence_i nt eger >
set det er mi ni st i c- med {enabl e | di sabl e}
set di st ance- ext er nal <di st ance_i nt eger >
set di st ance- i nt er nal <di st ance_i nt eger >
set di st ance- l ocal <di st ance_i nt eger >
set enf or ce- f i r st - as {enabl e | di sabl e}
router bgp
01-30005-0015-20070803 197
set f ast - ext er nal - f ai l over {enabl e | di sabl e}
set gr acef ul _r est ar t {enabl e | di sabl e}
set hol dt i me- t i mer <seconds_i nt eger >
set i gnor e_opt i onal _capabi l i t y {enabl e | di sabl e}
set keepal i ve- t i mer <seconds_i nt eger >
set l og- nei ghbor - changes {enabl e | di sabl e}
set net wor k- i mpor t - check {enabl e | di sabl e}
set r out er - i d <addr ess_i pv4>
set scan- t i me <seconds_i nt eger >
set synchr oni zat i on {enabl e | di sabl e}
conf i g admi n- di st ance
edi t <r out e_ent r y_i d>
set di st ance 
set nei ghbor - pr ef i x 
set r out e- l i st <st r i ng>
end
conf i g aggr egat e- addr ess
edi t <aggr _addr _i d>
set as- set {enabl e | di sabl e}
set pr ef i x <addr ess_i pv4mask>
set summar y- onl y {enabl e | di sabl e}
end
conf i g nei ghbor
edi t <nei ghbor _addr ess_i pv4>
set act i vat e {enabl e | di sabl e}
set adver t i sement - i nt er val <seconds_i nt eger >
set al l owas- i n <seconds_i nt eger >
set al l owas- i n- enabl e {enabl e | di sabl e}
set at t r i but e- unchanged [ aspat h] [ med] [ next - hop]
set bf d {enabl e | di sabl e}
set capabi l i t y- def aul t - or i gi nat e {enabl e | di sabl e}
set capabi l i t y- dynami c {enabl e | di sabl e}
set capabi l i t y- gr acef ul - r est ar t {enabl e | di sabl e}
set capabi l i t y- or f {bot h | none | r eci eve | send}
set capabi l i t y- r out e- r ef r esh {enabl e | di sabl e}
set connect - t i mer <seconds_i nt eger >
set descr i pt i on <t ext _st r >
set di st r i but e- l i st - i n <access- l i st - name_st r >
set di st r i but e- l i st - out <access- l i st - name_st r >
set dont - capabi l i t y- negot i at e {enabl e | di sabl e}
set ebgp- enf or ce- mul t i hop {enabl e | di sabl e}
set ebgp- mul t i hop {enabl e | di sabl e}
set ebgp- mul t i hop- t t l <seconds_i nt eger >
set f i l t er - l i st - i n <aspat h- l i st - name_st r >
set f i l t er - l i st - out <aspat h- l i st - name_st r >
set hol dt i me- t i mer <seconds_i nt eger >
set i nt er f ace 
set keepal i ve- t i mer <seconds_i nt eger >
set maxi mum- pr ef i x <pr ef i x_i nt eger >
set maxi mum- pr ef i x- t hr eshol d <per cent age_i nt eger >
set maxi mum- pr ef i x- war ni ng- onl y {enabl e | di sabl e}
set next - hop- sel f {enabl e | di sabl e}
set over r i de- capabi l i t y {enabl e | di sabl e}
set passi ve {enabl e | di sabl e}
198 01-30005-0015-20070803
bgp router
set pr ef i x- l i st - i n <pr ef i x- l i st - name_st r >
set pr ef i x- l i st - out <pr ef i x- l i st - name_st r >
set r emot e- as 
set r emove- pr i vat e- as {enabl e | di sabl e}
set r et ai n- st al e- t i me <seconds_i nt eger >
set r out e- map- i n <r out emap- name_st r >
set r out e- map- out <r out emap- name_st r >
set r out e- r ef l ect or - cl i ent {enabl e | di sabl e}
set r out e- ser ver - cl i ent {enabl e | di sabl e}
set send- communi t y {bot h | di sabl e | ext ended | st andar d}
set shut down {enabl e | di sabl e}
set sof t - r econf i gur at i on {enabl e | di sabl e}
set st r i ct - capabi l i t y- mat ch {enabl e | di sabl e}
set unsuppr ess- map <r out e- map- name_st r >
set updat e- sour ce 
set wei ght <wei ght _i nt eger >
end
conf i g net wor k
edi t <net wor k_i d>
set backdoor {enabl e | di sabl e}
set r out e- map <r out emap- name_st r >
end
conf i g r edi st r i but e {connect ed | st at i c | r i p | ospf }
set r out e- map <r out e- map- name_st r >
end
end
config router bgp
Use this command to enable a Border Gateway Protocol version 4 (BGP-4) process on the FortiGate
unit, define the interfaces making up the local BGP network (see config network on page 206), and
set operating parameters for communicating with BGP neighbors (see config neighbor on page 202).
When multiple routes to the FortiGate unit exist, BGP attributes determine the best route and the
FortiGate unit communicates this information to its BGP peers. The best route is added to the IP
routing table of the BGP peer, which in turn propagates this updated routing information to upstream
routers.
FortiGate units maintain separate entries in their routing tables for BGP routes. See Using route maps
with BGP on page 255. To reduce the size of the BGP routing table and conserve network resources,
you can optionally aggregate routes to the FortiGate unit. An aggregate route enables the FortiGate
unit to advertise one block of contiguous IP addresses as a single, less-specific address. You can
implement aggregate routing either by redistributing an aggregate route (see config redistribute on
page 207) or by using the conditional aggregate routing feature (see config aggregate-address on
page 202).
Note: In the following table, the as and r out er - i d keywords are required. All other keywords are optional.
router bgp
01-30005-0015-20070803 199
al ways- compar e- med
Enable or disable the comparison of MULTI_EXIT_DISC
(Multi Exit Discriminator or MED) attributes for identical
destinations advertised by BGP peers in different
autonomous systems.
di sabl e
as <l ocal _as_i d> Enter an integer to specify the local autonomous system (AS)
number of the FortiGate unit. The range is from 1 to 65 535.
When the l ocal _as_i d number is different than the AS
number of the specified BGP neighbor (see remote-as
<id_integer> on page 205), an External BGP (EBGP)
session is started. Otherwise, an Internal BGP (IBGP)
session is started. A value of 0 is not allowed.
0
best pat h- aspat h- i gnor e
Enable or disable the inclusion of an AS path in the selection
algorithm for choosing a BGP route.
di sabl e
best pat h- cmp- conf ed-
aspat h {enabl e | di sabl e}
Enable or disable the comparison of the
AS_CONFED_SEQUENCE attribute, which defines an
ordered list of AS numbers representing a path from the
FortiGate unit through autonomous systems within the local
confederation.
di sabl e
best pat h- cmp- r out er i d
Enable or disable the comparison of the router-ID values for
identical EBGP paths.
di sabl e
best pat h- med- conf ed
Enable or disable the comparison of MED attributes for routes
advertised by confederation EBGP peers.
di sabl e
best pat h- med- mi ssi ng- as-
wor st {enabl e | di sabl e}
This keyword is available when best pat h- med- conf ed is
set to enabl e.
When best pat h- med- conf ed is enabled, treat any
confederation path with a missing MED metric as the least
preferred path.
di sabl e
cl i ent - t o- cl i ent -
r ef l ect i on
Enable or disable client-to-client route reflection between
IBGP peers. If the clients are fully meshed, route reflection
may be disabled.
enabl e
cl ust er - i d <addr ess_i pv4> Set the identifier of the route-reflector in the cluster ID to
which the FortiGate unit belongs. If 0 is specified, the
FortiGate unit operates as the route reflector and its
r out er - i d value is used as the cl ust er - i d value. If the
FortiGate unit identifies its own cluster ID in the
CLUSTER_LIST attribute of a received route, the route is
ignored to prevent looping.
0. 0. 0. 0
conf eder at i on- i dent i f i er
<peer i d_i nt eger >
Set the identifier of the confederation to which the FortiGate
unit belongs. The range is from 1 to 65 535.
0
dampeni ng {enabl e |
di sabl e}
Enable or disable route-flap dampening on all BGP routes.
See RFC 2439. (A flapping route is unstable and continually
transitions down and up.) If you set dampening, you may
optionally set dampeni ng- r out e- map or define the
associated values individually using the dampeni ng- *
keywords.
di sabl e
dampeni ng- max- suppr ess-
t i me <mi nut es_i nt eger >
This keyword is available when dampeni ng is set to
enabl e.
Set the maximum time (in minutes) that a route can be
suppressed. The range is from 1 to 255. A route may
continue to accumulate penalties while it is suppressed.
However, the route cannot be suppressed longer than
mi nut es_i nt eger .
60
dampeni ng- r eachabi l i t y-
hal f - l i f e
<mi nut es_i nt eger >
enabl e.
Set the time (in minutes) after which any penalty assigned to
a reachable (but flapping) route is decreased by half. The
range is from 1 to 45.
15
200 01-30005-0015-20070803
bgp router
dampeni ng- r euse
<r euse_i nt eger >
enabl e.
Set a dampening-reuse limit based on accumulated
penalties. The range is from 1 to 20 000. If the penalty
assigned to a flapping route decreases enough to fall below
the specified r euse_i nt eger , the route is not suppressed.
750
dampeni ng- r out e- map
<r out emap- name_st r >
enabl e.
Specify the route-map that contains criteria for dampening.
You must create the route-map before it can be selected
here. See route-map on page 253 and Using route maps
with BGP on page 255.
Null.
dampeni ng- suppr ess
enabl e.
Set a dampening-suppression limit. The range is from 1 to
20 000. A route is suppressed (not advertised) when its
penalty exceeds the specified limit.
2 000
dampeni ng- unr eachabi l i t y-
hal f - l i f e
<mi nut es_i nt eger >
enabl e.
Set the time (in minutes) after which the penalty on a route
that is considered unreachable is decreased by half. The
15
def aul t - l ocal - pr ef er ence
<pr ef er ence_i nt eger >
Set the default local preference value. A higher value
signifies a preferred route. The range is from 0 to
4 294 967 295.
100
det er mi ni st i c- med
Enable or disable deterministic comparison of the MED
attributes of routes advertised by peers in the same AS.
di sabl e
di st ance- ext er nal
<di st ance_i nt eger >
Set the administrative distance of EBGP routes. The range is
from 1 to 255. If you set this value, you must also set values
for di st ance- i nt er nal and di st ance- l ocal .
20
di st ance- i nt er nal
This keyword is available when di st ance- ext er nal is set.
Set the administrative distance of IBGP routes. The range is
from 1 to 255.
200
di st ance- l ocal
This keyword is available when di st ance- ext er nal is set.
Set the administrative distance of local BGP routes. The
200
enf or ce- f i r st - as
Enable or disable the addition of routes learned from an
EBGP peer when the AS number at the beginning of the
routes AS_PATH attribute does not match the AS number of
the EBGP peer.
di sabl e
f ast - ext er nal - f ai l over
Immediately reset the session information associated with
BGP external peers if the link used to reach them goes down.
enabl e
gr acef ul _r est ar t
Graceful restart capability limits the effects of software
problems by allowing forwarding to continue when the control
plane of the router fails. It also reduces routing flaps by
stabilizing the network.
di sabl e
hol dt i me- t i mer
<seconds_i nt eger >
The maximum amount of time (in seconds) that may expire
before the FortiGate unit declares any BGP peer down. A
keepalive message must be received every
seconds_i nt eger seconds, or the peer is declared down.
The value can be 0 or an integer in the 3 to 65 535 range.
240
i gnor e_opt i onal _capabi l i t
y {enabl e | di sabl e}
Dont send unknown optional capability notification message. di sabl e
keepal i ve- t i mer
The frequency (in seconds) that a keepalive message is sent
from the FortiGate unit to any BGP peer. The range is from 0
to 65 535. BGP peers exchange keepalive messages to
maintain the connection for the duration of the session.
60
router bgp
01-30005-0015-20070803 201
Example
The following example defines the number of the AS of which the FortiGate unit is a member. It also
defines an EBGP neighbor at IP address 10. 0. 1. 2.
set as 65001
set r out er - i d 172. 16. 120. 20
conf i g nei ghbor
edi t 10. 0. 1. 2
set r emot e- as 65100
end
end
config admin-distance
Use this subcommand to set administrative distance modifications for bgp routes.
Example
This example shows how to manually adjust the distance associated with a route. It shows adding 25
to the weight of the route, that it will apply to neighbor routes with an IP address of 192.168.0.0 and a
netmask of 255.255.0.0, that are also permitted by the access-list downtown_office.
conf i g admi n- di st ance
edi t 1
set di st ance 25
set nei ghbour - pr ef i x 192. 168. 0. 0 255. 255. 0. 0
set r out e- l i st downt own_of f i ce
next
end
end
l og- nei ghbor - changes
Enable or disable the logging of changes to BGP neighbor
status.
di sabl e
net wor k- i mpor t - check
Enable or disable the advertising of the BGP network in IGP
(see config network on page 206).
enabl e
r out er - i d <addr ess_i pv4> Specify a fixed identifier for the FortiGate unit. A value of
0. 0. 0. 0 is not allowed.
0. 0. 0. 0
scan- t i me
Configure the background scanner interval (in seconds) for
next-hop route scanning. The range is from 5 to 60.
60
synchr oni zat i on
Only advertise routes from iBGP if routes are present in an
interior gateway protocol (IGP) such as RIP or OSPF.
di sabl e
edi t <r out e_ent r y_i d> Enter an ID number for the entry. The number must be an integer. No default.
di st ance The administrative distance to apply to the route. This value can
be from 1 to 255.
No default.
nei ghbor - pr ef i x

Neighbor address prefix. This variable must be a valid IP address
and netmask.
No default.
r out e- l i st <st r i ng> The list of routes this distance will be applied to.
The routes in this list can only come from the access-list which can
be viewed at conf i g r out er access- l i st .
No default.
202 01-30005-0015-20070803
bgp router
config aggregate-address
Use this subcommand to set or unset BGP aggregate-address table parameters. The subcommand
creates a BGP aggregate entry in the FortiGate routing table.
When you aggregate routes, routing becomes less precise because path details are not readily
available for routing purposes. The aggregate address represents addresses in several autonomous
systems. Aggregation reduces the length of the network mask until it masks only the bits that are
common to all of the addresses being summarized.
Example
This example shows how to define an aggregate prefix of 192. 168. 0. 0/ 16. The as- set command
enables the generation of an unordered list of AS numbers to include in the path information.
conf i g aggr egat e- addr ess
edi t 1
set pr ef i x 192. 168. 0. 0/ 16
set as- set enabl e
end
end
config neighbor
Use this subcommand to set or unset BGP neighbor configuration settings. The subcommand adds a
BGP neighbor configuration to the FortiGate unit.
You can clear all or some BGP neighbor connections (sessions) using the exec r out er cl ear bgp
command (see router clear bgp on page 552).
Note: The pr ef i x keyword is required. All other keywords are optional.
edi t <aggr _addr _i d> Enter an ID number for the entry. The number must be an
integer.
No default.
as- set {enabl e | di sabl e} Enable or disable the generation of an unordered list of AS
numbers to include in the path information. When as- set is
enabled, a set - at omi c- aggr egat e value (see Using
route maps with BGP on page 255) does not have to be
specified.
di sabl e
pr ef i x <addr ess_i pv4mask> Set an aggregate prefix. Include the IP address and netmask. 0. 0. 0. 0
0. 0. 0. 0
summar y- onl y
Enable or disable the advertising of aggregate routes only
(the advertising of specific routes is suppressed).
di sabl e
Note: The r emot e- as keyword is required. All other keywords are optional.
edi t <nei ghbor _addr ess_i pv4> Enter the IP address of the BGP neighbor. No default.
act i vat e {enabl e | di sabl e} Enable or disable the address family for the BGP
neighbor.
enabl e
router bgp
01-30005-0015-20070803 203
adver t i sement - i nt er val
Set the minimum amount of time (in seconds) that the
FortiGate unit waits before sending a BGP routing
update to the BGP neighbor. The range is from 0 to
600.
30
al l owas- i n <seconds_i nt eger > This keyword is available when al l owas- i n- enabl e
is set to enabl e.
Set the amount of time (in seconds) that the FortiGate
unit waits before readvertising to the BGP neighbor all
prefixes that contain duplicate AS numbers. The range
is from 1 to 10.
unset
al l owas- i n- enabl e
Enable or disable the readvertising of all prefixes
containing duplicate AS numbers. Set the amount of
time that must expire before readvertising through the
al l owas- i n keyword.
di sabl e
at t r i but e- unchanged [ aspat h]
[ med] [ next - hop]
Propagate unchanged BGP attributes to the BGP
neighbor.
To advertise unchanged AS_PATH attributes, select
aspat h.
To advertise unchanged MULTI_EXIT_DISC
attributes, select med.
To advertise the IP address of the next-hop router
interface (even when the address has not changed),
select next - hop.
An empty set is a supported value.
Empty set.
bf d {enabl e | di sabl e} Enable to turn on Bi-Directional Forwarding Detection
(BFD) for this neighbor. This indicates that this neighbor
is using BFD.
di sabl e
capabi l i t y- def aul t - or i gi nat e
Enable or disable the advertising of the default route to
BGP neighbors.
di sabl e
capabi l i t y- dynami c
Enable or disable the advertising of dynamic capability
to BGP neighbors.
di sabl e
capabi l i t y- gr acef ul - r est ar t
Enable or disable the advertising of graceful-restart
capability to BGP neighbors.
di sabl e
capabi l i t y- or f {bot h | di sabl e
| r ecei ve | send}
Enable or disable the advertising of Outbound Routing
Filter (ORF) prefix-list capability to the BGP neighbor.
To enable send and receive capability, select bot h.
To enable receive capability, select r ecei ve.
To enable send capability, select send.
To disable the advertising of ORF prefix-list capability,
select di sabl e.
di sabl e
capabi l i t y- or f {bot h | none |
r eci eve | send}
Accept / Send out bound r out er f i l t er
( ORF) l i st s t o/ f r omt hi s nei ghbor :
both - both accept and send ORF lists
none - do not accept or send ORF lists
recieve - only accept ORF lists
send - only send ORF lists
none
capabi l i t y- r out e- r ef r esh
Enable or disable the advertising of route-refresh
capability to the BGP neighbor.
enabl e
connect - t i mer
Set the maximum amount of time (in seconds) that the
FortiGate unit waits to make a connection with a BGP
neighbor before the neighbor is declared unreachable.
The range is from 0 to 65 535.
- 1 (not set)
descr i pt i on <t ext _st r > Enter a one-word (no spaces) description to associate
with the BGP neighbor configuration settings.
Null.
204 01-30005-0015-20070803
bgp router
di st r i but e- l i st - i n
<access- l i st - name_st r >
Limit route updates from the BGP neighbor based on
the Network Layer Reachability Information (NLRI)
defined in the specified access list. You must create the
access list before it can be selected here. See access-
list on page 192.
Null.
di st r i but e- l i st - out
<access- l i st - name_st r >
Limit route updates to the BGP neighbor based on the
NLRI defined in the specified access list. You must
create the access list before it can be selected here.
See access-list on page 192.
Null.
dont - capabi l i t y- negot i at e
Enable or disable capability negotiations with the BGP
neighbor.
di sabl e
ebgp- enf or ce- mul t i hop
Enable or disable the enforcement of Exterior BGP
(EBGP) multihops.
di sabl e
ebgp- mul t i hop
Enable or disable communications with EBGP
neighbors that are not one hop away. When you enable
ebgp- mul t i hop, set an ebgp- mul t i hop- t t l value
to change the Time-To-Live (TTL) duration of the EBGP
packets.
di sabl e
ebgp- mul t i hop- t t l
This keyword is available when ebgp- mul t i hop is set
to enabl e.
Define a TTL value (in hop counts) for BGP packets
sent to the BGP neighbor. The range is from 1 to 255.
255
f i l t er - l i st - i n
<aspat h- l i st - name_st r >
Limit inbound BGP routes according to the specified
AS-path list. You must create the AS-path list before it
can be selected here. See aspath-list on page 194.
Null.
f i l t er - l i st - out
Limit outbound BGP routes according to the specified
AS-path list. You must create the AS-path list before it
Null.
hol dt i me- t i mer
The amount of time (in seconds) that must expire
before the FortiGate unit declares the BGP neighbor
down. This value overrides the global hol dt i me-
t i mer value (see hol dt i me- t i mer
<seconds_i nt eger > on page 200). A keepalive
message must be received every seconds_i nt eger
from the BGP neighbor or it is declared down. The
value can be 0 or an integer in the 3 to 65 535 range.
- 1 (not set)
i nt er f ace Specify a descriptive name for the BGP neighbor
interface.
Null.
keepal i ve- t i mer
The frequency (in seconds) that a keepalive message
is sent from the FortiGate unit to the BGP neighbor.
This value overrides the global keepal i ve- t i mer
value (see keepal i ve- t i mer
<seconds_i nt eger > on page 200). The range is
from 0 to 65 535.
- 1 (not set)
maxi mum- pr ef i x
<pr ef i x_i nt eger >
Set the maximum number of NLRI prefixes to accept
from the BGP neighbor. When the maximum is
reached, the FortiGate unit disconnects the BGP
neighbor. The range is from 1 to 4 294 967 295.
Changing this value on the FortiGate unit does not
disconnect the BGP neighbor. However, if the neighbor
goes down because it reaches the maximum number of
prefixes and you increase the maximum-prefix value
afterward, the neighbor will be reset.
unset
maxi mum- pr ef i x- t hr eshol d
<per cent age_i nt eger >
This keyword is available when maxi mum- pr ef i x is
set.
Specify the threshold (as a percentage) that must be
exceeded before a warning message about the
maximum number of NLRI prefixes is displayed. The
75
router bgp
01-30005-0015-20070803 205
maxi mum- pr ef i x- war ni ng- onl y
This keyword is available when maxi mum- pr ef i x is
set.
Enable or disable the display of a warning when the
maxi mum- pr ef i x- t hr eshol d has been reached.
di sabl e
next - hop- sel f
Enable or disable advertising of the FortiGate units IP
address (instead of the neighbors IP address) in the
NEXT_HOP information that is sent to IBGP peers.
di sabl e
over r i de- capabi l i t y
Enable or disable IPv6 addressing for a BGP neighbor
that does not support capability negotiation.
di sabl e
passi ve {enabl e | di sabl e} Enable or disable the sending of Open messages to
BGP neighbors.
di sabl e
pr ef i x- l i st - i n
<pr ef i x- l i st - name_st r >
Limit route updates from a BGP neighbor based on the
Network Layer Reachability Information (NLRI) in the
specified prefix list. The prefix list defines the NLRI
prefix and length advertised in a route. You must create
the prefix list before it can be selected here. See
prefix-list on page 242
Null.
pr ef i x- l i st - out
<pr ef i x- l i st - name_st r >
Limit route updates to a BGP neighbor based on the
NLRI in the specified prefix list. The prefix list defines
the NLRI prefix and length advertised in a route. You
must create the prefix list before it can be selected
here. See prefix-list on page 242
Null.
r emot e- as Adds a BGP neighbor to the FortiGate configuration
and sets the AS number of the neighbor. The range is
from 1 to 65 535. If the number is identical to the
FortiGate AS number, the FortiGate unit communicates
with the neighbor using internal BGP (IBGP).
Otherwise, the neighbor is an external peer and the
FortiGate unit uses EBGP to communicate with the
neighbor.
unset
r emove- pr i vat e- as
Remove the private AS numbers from outbound
updates to the BGP neighbor.
di sabl e
r est ar t _t i me <seconds_i nt eger > Sets the time until a restart happens. The time until the
restart can be from 0 to 3600 seconds.
0
r et ai n- st al e- t i me
This keyword is available when capabi l i t y-
gr acef ul - r est ar t is set to enabl e.
Specify the time (in seconds) that stale routes to the
BGP neighbor will be retained. The range is from 1 to
65 535.
0
r out e- map- i n
Limit route updates or change the attributes of route
updates from the BGP neighbor according to the
specified route map. You must create the route-map
before it can be selected here. See route-map on
page 253 and Using route maps with BGP on
page 255.
Null.
r out e- map- out
Limit route updates or change the attributes of route
updates to the BGP neighbor according to the specified
route map. You must create the route-map before it can
be selected here. See route-map on page 253 and
Using route maps with BGP on page 255.
Null.
r out e- r ef l ect or - cl i ent
This keyword is available when r emot e- as is identical
to the FortiGate AS number (see as
<l ocal _as_i d> on page 199).
Enable or disable the operation of the FortiGate unit as
a route reflector and identify the BGP neighbor as a
route-reflector client.
di sabl e
r out e- ser ver - cl i ent
Enable or disable the recognition of the BGP neighbor
as route-server client.
di sabl e
206 01-30005-0015-20070803
bgp router
Example
This example shows how to set the AS number of a BGP neighbor at IP address 10.10.10.167 and
enter a descriptive name for the configuration.
conf i g nei ghbor
edi t 10. 10. 10. 167
set r emot e- as 2879
set descr i pt i on BGP_nei ghbor _Si t e1
end
end
config network
Use this subcommand to set or unset BGP network configuration parameters. The subcommand is
used to advertise a BGP network (that is, an IP prefix)you specify the IP addresses making up the
local BGP network.
When you enable the net wor k- i mpor t - check attribute on the FortiGate unit (see net wor k-
i mpor t - check {enabl e | di sabl e} on page 201) and you specify a BGP network prefix
through the conf i g net wor k command, the FortiGate unit searches its routing table for a matching
entry. If an exact match is found, the prefix is advertised. A route-map can optionally be used to modify
the attributes of routes before they are advertised.
send- communi t y {bot h | di sabl e
| ext ended | st andar d}
Enable or disable the sending of the COMMUNITY
attribute to the BGP neighbor.
To advertise extended and standard capabilities,
select bot h.
To advertise extended capabilities, select ext ended.
To advertise standard capabilities, select st andar d.
To disable the advertising of the COMMUNITY
attribute, select di sabl e.
bot h
shut down {enabl e | di sabl e} Administratively enable or disable the BGP neighbor. di sabl e
sof t - r econf i gur at i on
Enable or disable the FortiGate unit to store unmodified
updates from the BGP neighbor to support inbound
soft-reconfiguration.
di sabl e
st r i ct - capabi l i t y- mat ch
Enable or disable strict-capability negotiation matching
with the BGP neighbor.
di sabl e
unsuppr ess- map
<r out e- map- name_st r >
Specify the name of the route-map to selectively
unsuppress suppressed routes. You must create the
route-map before it can be selected here. See route-
map on page 253 and Using route maps with BGP on
page 255.
Null.
updat e- sour ce

Specify the name of the local FortiGate interface to use
for TCP connections to neighbors. The IP address of
the interface will be used as the source address for
outgoing updates.
Null.
wei ght <wei ght _i nt eger > Apply a weight value to all routes learned from a
neighbor. A higher number signifies a greater
preference. The range is from 0 to 65 535.
unset
router bgp
01-30005-0015-20070803 207
Example
This example defines a BGP network at IP address 10. 0. 0. 0/ 8. A route map named BGP_r map1 is
used to modify the attributes of the local BGP routes before they are advertised.
conf i g net wor k
edi t 1
set pr ef i x 10. 0. 0. 0/ 8
set r out e- map BGP_r map1
end
end
conf i g r out er r out e- map
edi t BGP_r map1
conf i g r ul e
edi t 1
set set - communi t y no- expor t
end
end
config redistribute
Use this subcommand to set or unset BGP redistribution table parameters. You can enable BGP to
provide connectivity between connected, static, RIP, and/or OSPF routes. BGP redistributes the routes
from one protocol to another. When a large internetwork is divided into multiple routing domains, use
the subcommand to redistribute routes to the various domains. As an alternative, you can use the
conf i g net wor k subcommand to advertise a prefix to the BGP network (see config network on
page 206).
The BGP redistribution table contains four static entries. You cannot add entries to the table. The
entries are defined as follows:
connect edRedistribute routes learned from a direct connection to the destination network.
st at i cRedistribute the static routes defined in the FortiGate routing table.
r i pRedistribute routes learned from RIP.
ospf Redistribute routes learned from OSPF.
When you enter the subcommand, end the command with one of the four static entry names (that is,
conf i g r edi st r i but e {connect ed | st at i c | r i p | ospf }).
edi t <net wor k_i d> Enter an ID number for the entry. The number must be an
integer.
No default.
backdoor
Enable or disable the route as a backdoor, which causes an
administrative distance of 200 to be assigned to the route.
Backdoor routes are not advertised to EBGP peers.
di sabl e
pr ef i x <addr ess_i pv4mask> Enter the IP address and netmask that identifies the BGP
network to advertise.
0. 0. 0. 0
0. 0. 0. 0
r out e- map
Specify the name of the route-map that will be used to modify
the attributes of the route before it is advertised. You must
create the route-map before it can be selected here. See
route-map on page 253 and Using route maps with BGP on
page 255.
Null.
208 01-30005-0015-20070803
bgp router
Example
The following example changes the st at us and r out e- map fields of the connect ed entry.
conf i g r edi st r i but e connect ed
set r out e- map r map1
end
end
Command history
Related topics
router aspath-list
router key-chain
Note: The st at us and r out e- map keywords are optional.
st at us {enabl e | di sabl e} Enable or disable the redistribution of connected, static, RIP, or
OSPF routes.
di sabl e
r out e- map
<r out e- map- name_st r >
Specify the name of the route map that identifies the routes to
redistribute. You must create the route map before it can be
selected here. See route-map on page 253 and Using route
maps with BGP on page 255. If a route map is not specified, all
routes are redistributed to BGP.
Null.
FortiOS v3.0 New.
01-30005-0015-20070803 209
community-list
Use this command to identify BGP routes according to their COMMUNITY attributes (see RFC 1997).
Each entry in the community list defines a rule for matching and selecting routes based on the setting
of the COMMUNITY attribute. The default rule in a community list (which the FortiGate unit applies
last) denies the matching of all routes.
You add a route to a community by setting its COMMUNITY attribute. A route can belong to more than
one community. A route may be added to a community because it has something in common with the
other routes in the group (for example, the attribute could identify all routes to satellite offices).
When the COMMUNITY attribute is set, the FortiGate unit can select routes based on their
COMMUNITY attribute values.
conf i g r out er communi t y- l i st
edi t <communi t y_name>
set t ype {st andar d | expanded}
conf i g r ul e
edi t <communi t y_r ul e_i d>
set mat ch <cr i t er i a>
set r egexp <r egul ar _expr essi on>
end
end
Note: The act i on keyword is required. All other keywords are optional.
edi t <communi t y_name> Enter a name for the community list. No default.
t ype {st andar d | expanded} Specify the type of community to match. If you select
expanded, you must also specify a conf i g r ul e r egexp
value. See r egexp <r egul ar _expr essi on> on
page 210.
st andar d
edi t <communi t y_r ul e_i d> Enter an entry number for the rule. The number must be an
integer.
No default.
act i on {deny | per mi t } Deny or permit operations on a route based on the value of
the routes COMMUNITY attribute.
No default.
210 01-30005-0015-20070803
community-list router
Example
This example creates a community list named Sat el l i t e_of f i ces. The list permits operations on
BGP routes whose COMMUNITY attribute is set to no- adver t i se.
edi t Sat el l i t e_of f i ces
set t ype st andar d
conf i g r ul e
edi t 1
set mat ch no- adver t i se
end
end
The next example creates a community list named ext _communi t y. The list permits operations on
BGP routes whose COMMUNITY attribute has the number 3 in the second part of the first instance and
the number 86 in the second part of the second instance. For example, the community list could match
routes having the following COMMUNITY attribute values: 100:3 500:86 300:800, 1:3 4:86, or 69:3
69:86 69:69 70:800 600:333).
edi t ext _communi t y
set t ype expanded
conf i g r ul e
edi t 1
set r egexp . *: 3 . *: 86
end
end
mat ch <cr i t er i a> This keyword is available when set t ype is set to
st andar d.
Specify the criteria for matching a reserved community.
Use decimal notation to match one or more COMMUNITY
attributes having the syntax AA: NN, where AA represents
an AS, and NN is the community identifier. Delimit complex
expressions with double-quotation marks (for example,
123: 234 345: 456).
To match all routes in the Internet community, type
i nt er net .
To match all routes in the LOCAL_AS community, type
l ocal - AS. Matched routes are not advertised locally.
To select all routes in the NO_ADVERTISE community, type
no- adver t i se. Matched routes are not advertised.
To select all routes in the NO_EXPORT community, type
no- expor t . Matched routes are not advertised to EBGP
peers. If a confederation is configured, the routes are
advertised within the confederation.
Null.
r egexp
<r egul ar _expr essi on>
This keyword is available when set t ype is set to
expanded.
Specify an ordered list of COMMUNITY attributes as a regular
expression. The value or values are used to match a
community. Delimit a complex r egul ar _expr essi on value
using double-quotation marks.
Null.
01-30005-0015-20070803 211
Command history
Related topics
router aspath-list
router bgp
router Using route maps with BGP
router key-chain
FortiOS v3.0 New.
212 01-30005-0015-20070803
key-chain router
key-chain
Use this command to manage RIP version 2 authentication keys. You can add, edit or delete keys
identified by the specified key number.
RIP version 2 uses authentication keys to ensure that the routing information exchanged between
routers is reliable. For authentication to work both the sending and receiving routers must be set to use
authentication, and must be configured with the same keys.
A key chain is a list of one or more keys and the send and receive lifetimes for each key. Keys are used
for authenticating routing packets only during the specified lifetimes. The FortiGate unit migrates from
one key to the next according to the scheduled send and receive lifetimes. The sending and receiving
routers should have their system dates and times synchronized, but overlapping the key lifetimes
ensures that a key is always available even if there is some difference in the system times. See config
system global on page 243 to ensure that the FortiGate system date and time are correct.
conf i g r out er keychai n
edi t <key_chai n_name>
conf i g key
edi t <key_i d>
set accept - l i f et i me <st ar t > <end>
set key- st r i ng <passwor d>
set send- l i f et i me <st ar t > <end>
end
end
Note: The accept - l i f et i me, key- st r i ng, and send- l i f et i me keywords are required.
edi t <key_chai n_name> Enter a name for the key chain list. No default.
config key variables
edi t <key_i d> Enter an ID number for the key entry. The number must be
an integer.
No default.
accept - l i f et i me <st ar t ><end> Set the time period during which the key can be received.
The st ar t time has the syntax hh: mm: ss day mont h
year . The end time provides a choice of three settings:
hh: mm: ss day mont h year
a duration from 1 to 2147483646 seconds
i nf i ni t e (for a key that never expires)
The valid settings for hh: mm: ss day mont h year are:
hh - 0 to 23
mm- 0 to 59
ss - 0 to 59
day - 1 to 31
mont h - 1 to 12
year - 1993 to 2035
No default.
router key-chain
01-30005-0015-20070803 213
Example
This example shows how to add a key chain named t est 1 with three keys. The first two keys each
have send and receive lifetimes of 13 hours, and the 3rd key has send and receive lifetimes that never
expire.
conf i g r out er keychai n
edi t t est 1
conf i g key
edi t 1
set accept - l i f et i me 10: 00: 00 1 6 2004 46800
set send- l i f et i me 10: 00: 00 1 6 2004 46800
set key- st r i ng 1a2b2c4d5e6f 7g8h
next
edi t 2
set accept - l i f et i me 22: 00: 00 1 6 2004 46800
set send- l i f et i me 22: 00: 00 1 6 2004 46800
set key- st r i ng 9i 1j 2k3l 4m5n6o7p
next
edi t 3
set accept - l i f et i me 10: 00: 00 2 6 2004 i nf i ni t e
set send- l i f et i me 10: 00: 00 2 6 2004 i nf i ni t e
set key- st r i ng 123abc456def 789g
end
end
Command history
Related topics
router rip
system global
key- st r i ng <passwor d> The <passwor d_st r >can be up to 35 characters long. No default.
send- l i f et i me <st ar t > <end> Set the time period during which the key can be sent. The
st ar t time has the syntax hh: mm: ss day mont h year .
The end time provides a choice of three settings:
hh: mm: ss day mont h year
a duration from 1 to 2147483646 seconds
i nf i ni t e (for a key that never expires)
The valid settings for hh: mm: ss day mont h year are:
hh - 0 to 23
mm- 0 to 59
ss - 0 to 59
day - 1 to 31
mont h - 1 to 12
year - 1993 to 2035
No default.
FortiOS v2.80 New.
214 01-30005-0015-20070803
multicast router
multicast
A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root
virtual domain. FortiGate units support PIM sparse mode (RFC 2362) and PIM dense mode (RFC
3973) and can service multicast servers or receivers on the network segment to which a FortiGate
interface is connected. Multicast routing is only available in the root virtual domain. It is not supported
in Transparent mode (TP mode).
A PIM domain is a logical area comprising a number of contiguous networks. The domain contains at
least one Boot Strap Router (BSR), and if sparse mode is enabled, a number of Rendezvous Points
(RPs) and Designated Routers (DRs). When PIM is enabled on a FortiGate unit, the FortiGate unit can
perform any of these functions at any time as configured.
Sparse mode
Initially, all candidate BSRs in a PIM domain exchange bootstrap messages to select one BSR to
which each RP sends the multicast address or addresses of the multicast group(s) that it can service.
The selected BSR chooses one RP per multicast group and makes this information available to all of
the PIM routers in the domain through bootstrap messages. PIM routers use the information to build
packet distribution trees, which map each multicast group to a specific RP. Packet distribution trees
may also contain information about the sources and receivers associated with particular multicast
groups.
An RP represents the root of a non-source-specific distribution tree to a multicast group. By joining and
pruning the information contained in distribution trees, a single stream of multicast packets (for
example, a video feed) originating from the source can be forwarded to a certain RP to reach a
multicast destination.
Each PIM router maintains a Multicast Routing Information Base (MRIB) that determines to which
neighboring PIM router join and prune messages are sent. An MRIB contains reverse-path information
that reveals the path of a multicast packet from its source to the PIM router that maintains the MRIB.
To send multicast traffic, a server application sends IP traffic to a multicast group address. The locally
elected DR registers the sender with the RP that is associated with the target multicast group. The RP
uses its MRIB to forward a single stream of IP packets from the source to the members of the multicast
group. The IP packets are replicated only when necessary to distribute the data to branches of the
RPs distribution tree.
Note: To support PIM communications, the sending/receiving applications and all connecting PIM routers in
between must be enabled with PIM version 2. PIM can use static routes, RIP, OSPF, or BGP to forward multicast
packets to their destinations. To enable source-to-destination packet delivery, either sparse mode or dense mode
must be enabled on the PIM-router interfaces. Sparse mode routers cannot send multicast messages to dense
mode routers. In addition, if a FortiGate unit is located between a source and a PIM router, two PIM routers, or is
connected directly to a receiver, you must create a firewall policy manually to pass encapsulated (multicast)
packets or decapsulated data (IP traffic) between the source and destination.
Note: When a FortiGate interface is configured as a multicast interface, sparse mode is enabled on it by default to
ensure that distribution trees are not built unless at least one downstream receiver requests multicast traffic from
a specific source. If the sources of multicast traffic and their receivers are close to each other and the PIM domain
contains a dense population of active receivers, you may choose to enable dense mode throughout the PIM
domain instead.
router multicast
01-30005-0015-20070803 215
To receive multicast traffic, a client application can use Internet Group Management Protocol (IGMP)
version 1 (RFC 1112), 2 (RFC 2236), or 3 (RFC 3376) control messages to request the traffic for a
particular multicast group. The locally elected DR receives the request and adds the host to the
multicast group that is associated with the connected network segment by sending a join message
towards the RP for the group. Afterward, the DR queries the hosts on the connected network segment
continually to determine whether the hosts are active. When the DR no longer receives confirmation
that at least one member of the multicast group is still active, the DR sends a prune message towards
the RP for the group.
Dense mode
The packet organization used in sparse mode is also used in dense mode. When a multicast source
begins to send IP traffic and dense mode is enabled, the closest PIM router registers the IP traffic from
the multicast source (S) and forwards multicast packets to the multicast group address (G). All PIM
routers initially broadcast the multicast packets throughout the PIM domain to ensure that all receivers
that have requested traffic for multicast group address G can access the information if needed.
To forward multicast packets to specific destinations afterward, the PIM routers build distribution trees
based on the information in multicast packets. Upstream PIM routers depend on prune/graft messages
from downstream PIM routers to determine if receivers are actually present on directly connected
network segments. The PIM routers exchange state refresh messages to update their distribution
trees. FortiGate units store this state information in a Tree Information Base (TIB), which is used to
build a multicast forwarding table. The information in the multicast forwarding table determines
whether packets are forwarded downstream. The forwarding table is updated whenever the TIB is
modified.
PIM routers receive data streams every few minutes and update their forwarding tables using the
source (S) and multicast group (G) information in the data stream. Superfluous multicast traffic is
stopped by PIM routers that do not have downstream receiversPIM routers that do not manage
multicast groups send prune messages to the upstream PIM routers. When a receiver requests traffic
for multicast address G, the closest PIM router sends a graft message upstream to begin receiving
multicast packets.
conf i g r out er mul t i cast
set i gmp- st at e- l i mi t <l i mi t _i nt eger >
set mul t i cast - r out i ng {enabl e | di sabl e}
set r out e- l i mi t <l i mi t _i nt eger >
set r out e- t hr eshol d <t hr eshol d_i nt eger >
conf i g i nt er f ace
set ci sco- excl ude- geni d {enabl e | di sabl e}
set dr - pr i or i t y <pr i or i t y_i nt eger >
set hel l o- hol dt i me <hol dt i me_i nt eger >
set hel l o- i nt er val <hel l o_i nt eger >
set nei ghbour - f i l t er <access_l i st _name>
set passi ve {enabl e | di sabl e}
set pi m- mode {spar se- mode | dense- mode}
set pr opagat i on- del ay <del ay_i nt eger >
set r p- candi dat e {enabl e | di sabl e}
set r p- candi dat e- gr oup <access_l i st _name>
set r p- candi dat e- i nt er val 
set r p- candi dat e- pr i or i t y <pr i or i t y_i nt eger >
set st at e- r ef r esh- i nt er val <r ef r esh_i nt eger >
set t t l - t hr eshol d <t t l _i nt eger >
end
216 01-30005-0015-20070803
multicast router
conf i g j oi n- gr oup
edi t addr ess <addr ess_i pv4>
end
conf i g i gmp
set access- gr oup <access_l i st _name>
set i mmedi at e- l eave- gr oup <access_l i st _name>
set l ast - member - quer y- count <count _i nt eger >
set l ast - member - quer y- i nt er val 
set quer y- i nt er val 
set quer y- max- r esponse- t i me <t i me_i nt eger >
set quer y- t i meout <t i meout _i nt eger >
set r out er - al er t - check { enabl e | di sabl e }
set ver si on {1 | 2 | 3}
end
end
conf i g pi m- sm- gl obal
set accept - r egi st er - l i st <access_l i st _name>
set bsr - al l ow- qui ck- r ef r esh {enabl e | di sabl e}
set bsr - candi dat e {enabl e | di sabl e}
set bsr - pr i or i t y <pr i or i t y_i nt eger >
set bsr - i nt er f ace 
set bsr - hash <hash_i nt eger >
set ci sco- r egi st er - checksum{enabl e | di sabl e}
set ci sco- r egi st er - checksum- gr oup <access_l i st _name>
set ci sco- cr p- pr ef i x {enabl e | di sabl e}
set ci sco- i gnor e- r p- set - pr i or i t y {enabl e | di sabl e}
set message- i nt er val 
set r egi st er - r at e- l i mi t <r at e_i nt eger >
set r egi st er - r p- r eachabi l i t y {enabl e | di sabl e}
set r egi st er - sour ce {di sabl e | i nt er f ace | i p- addr ess}
set r egi st er - sour ce- i nt er f ace 
set r egi st er - sour ce- i p <addr ess_i pv4>
set r egi st er - suppr essi on <suppr ess_i nt eger >
set r p- r egi st er - keepal i ve <keepal i ve_i nt eger >
set spt - t hr eshol d {enabl e | di sabl e}
set spt - t hr eshol d- gr oup <access_l i st _name>
set ssm{enabl e | di sabl e}
set ssm- r ange <access_l i st _name>
conf i g r p- addr ess
edi t <r p_i d>
set i p- addr ess <addr ess_i pv4>
set gr oup <access_l i st _name>
end
end
config router multicast
You can configure a FortiGate unit to support PIM using the conf i g r out er mul t i cast CLI
command. When PIM is enabled, the FortiGate unit allocates memory to manage mapping
information. The FortiGate unit communicates with neighboring PIM routers to acquire mapping
information and if required, processes the multicast traffic associated with specific multicast groups.
Note: The end-user multicast client-server applications must be installed and configured to initiate
Internet connections and handle broadband content such as audio/video information.
router multicast
01-30005-0015-20070803 217
Client applications send multicast data by registering IP traffic with a PIM-enabled router. An end-user
could type in a class D multicast group address, an alias for the multicast group address, or a call-
conference number to initiate the session. Rather than sending multiple copies of generated IP traffic
to more than one specific IP destination address, PIM-enabled routers encapsulate the data and use
the one multicast group address to forward multicast packets to multiple destinations. Because one
destination address is used, a single stream of data can be sent. Client applications receive multicast
data by requesting that the traffic destined for a certain multicast group address be delivered to them
end-users may use phone books, a menu of ongoing or future sessions, or some other method
through a user interface to select the address of interest.
A class D address in the 224.0.0.0 to 239.255.255.255 range may be used as a multicast group
address, subject to the rules assigned by the Internet Assigned Numbers Authority (IANA). All class D
addresses must be assigned in advance. Because there is no way to determine in advance if a certain
multicast group address is in use, collisions may occur (to resolve this problem, end-users may switch
to a different multicast address).
To configure a PIM domain
1 If you will be using sparse mode, determine appropriate paths for multicast packets.
2 Make a note of the interfaces that will be PIM-enabled. These interfaces may run a unicast routing
protocol.
3 If you will be using sparse mode and want multicast packets to be handled by specific (static) RPs,
record the IP addresses of the PIM-enabled interfaces on those RPs.
4 Enable PIM version 2 on all participating routers between the source and receivers. On FortiGate
units, use the conf i g r out er mul t i cast command to set global operating
parameters.
5 Configure the PIM routers that have good connections throughout the PIM domain to be candidate
BSRs.
6 If sparse mode is enabled, configure one or more of the PIM routers to be candidate RPs.
7 If required, adjust the default settings of PIM-enabled interface(s).
Note: All keywords are optional.
i gmp- st at e- l i mi t
If memory consumption is an issue, specify a limit on the
number of IGMP states (multicast memberships) that the
FortiGate unit will store. The value represents the maximum
combined number of IGMP states (multicast memberships)
that can be handled by all interfaces. Traffic associated with
excess IGMP membership reports is not delivered. The range
is from 96 to 64 000.
3200
mul t i cast - r out i ng
Enable or disable PIM routing. di sabl e
r out e- l i mi t
If memory consumption is an issue, set a limit on the number
of multicast routes that can be added to the FortiGate routing
table. The range is from 1 to 2 147 483 674.
2147483674
r out e- t hr eshol d
Specify the number of multicast routes that can be added to
the FortiGate routing table before a warning message is
displayed. The r out e- t hr eshol d value must be lower than
the r out e- l i mi t value. The range is from 1 to
2 147 483 674.
2147483674
218 01-30005-0015-20070803
multicast router
config interface
Use this subcommand to change interface-related PIM settings, including the mode of operation
(sparse or dense). Global settings do not override interface-specific settings.
edi t Enter the name of the FortiGate interface on which to enable
PIM protocols.
No default.
ci sco- excl ude- geni d
This keyword applies only when pi m- mode is spar se- mode.
Enable or disable including a generation ID in hello messages
sent to neighboring PIM routers. A GenID value may be
included for compatibility with older Cisco IOS routers.
di sabl e
dr - pr i or i t y
<pr i or i t y_i nt eger >
This keyword applies only when pi m- mode is spar se- mode.
Assign a priority to FortiGate DR candidacy. The range is from
1 to 4 294 967 294. The value is compared to that of other DR
interfaces connected to the same network segment, and the
router having the highest DR priority is selected to be the DR.
If two DR priority values are the same, the interface having
the highest IP address is selected.
1
hel l o- hol dt i me
<hol dt i me_i nt eger >
Specify the amount of time (in seconds) that a PIM neighbor
may consider the information in a hello message to be valid.
The range is from 1 to 65 535.
If the hel l o- i nt er val attribute is modified and the hel l o-
hol dt i me attribute has never been set explicitly, the hel l o-
hol dt i me attribute is set to 3.5 x hel l o- i nt er val
automatically.
105
hel l o- i nt er val
<hel l o_i nt eger >
Set the amount of time (in seconds) that the FortiGate unit
waits between sending hello messages to neighboring PIM
routers. The range is from 1 to 65 535. Changing the hel l o-
i nt er val attribute may update the hel l o- hol dt i me
attribute automatically.
30
nei ghbour - f i l t er
<access_l i st _name>
Establish or terminate adjacency with PIM neighbors having
the IP addresses given in the specified access list. See
access-list on page 192.
Null.
passi ve {enabl e |
di sabl e}
Enable or disable PIM communications on the interface
without affecting IGMP communications.
di sabl e
pi m- mode {spar se- mode |
dense- mode}
Select the PIM mode of operation:
Select spar se- mode to manage PIM packets through
distribution trees and multicast groups.
Select dense- mode to enable multicast flooding.
spar se-
mode
pr opagat i on- del ay
<del ay_i nt eger >
This keyword is available when pi m- mode is set to
dense- mode.
Specify the amount of time (in milliseconds) that the FortiGate
unit waits to send prune-override messages. The range is
from 100 to 5 000.
500
r p- candi dat e {enabl e |
di sabl e}
spar se- mode.
Enable or disable the FortiGate interface to offer Rendezvous
Point (RP) services.
di sabl e
r p- candi dat e- gr oup
This keyword is available when r p- candi dat e is set to
enabl e and pi m- mode is set to spar se- mode.
Specify for which multicast groups RP candidacy is advertised
based on the multicast group prefixes given in the specified
access list. See access-list on page 192.
Null.
router multicast
01-30005-0015-20070803 219
r p- candi dat e- i nt er val

waits between sending RP announcement messages. The
range is from 1 to 16 383.
60
r p- candi dat e- pr i or i t y
Assign a priority to FortiGate RP candidacy. The range is from
0 to 255. The BSR compares the value to that of other RP
candidates that can service the same multicast group, and the
router having the highest RP priority is selected to be the RP
for that multicast group. If two RP priority values are the
same, the RP candidate having the highest IP address on its
RP interface is selected.
192
st at e- r ef r esh- i nt er val
<r ef r esh_i nt eger >
dense- mode.
This attribute is used when the FortiGate unit is connected
directly to the multicast source. Set the amount of time (in
seconds) that the FortiGate unit waits between sending state-
refresh messages. The range is from 1 to 100. When a state-
refresh message is received by a downstream router, the
prune state on the downstream router is refreshed.
60
t t l - t hr eshol d
<t t l _i nt eger >
Specify the minimum Time-To-Live (TTL) value (in hops) that
an outbound multicast packet must have in order to be
forwarded from the interface. Specifying a high value (for
example, 195) prevents PIM packets from being forwarded
through the interface. The range is from 0 to 255.
1
config join-group variables
edi t addr ess
<addr ess_i pv4>
Cause the FortiGate interface to activate (IGMP join) the
multicast group associated with the specified multicast group
address.
No default.
config igmp variables
access- gr oup
Specify which multicast groups hosts on the connected
network segment may join based on the multicast addresses
given in the specified access list. See access-list on
page 192.
Null.
i mmedi at e- l eave- gr oup
This keyword applies when ver si on is set to 2 or 3.
Configure a FortiGate DR to stop sending traffic and IGMP
queries to receivers after receiving an IGMP version 2 group-
leave message from any member of the multicast groups
identified in the specified access list. See access-list on
page 192.
Null.
l ast - member - quer y- count
<count _i nt eger >
Specify the number of times that a FortiGate DR sends an
IGMP query to the last member of a multicast group after
receiving an IGMP version 2 group-leave message.
2
l ast - member - quer y-
i nt er val
Set the amount of time (in milliseconds) that a FortiGate DR
waits for the last member of a multicast group to respond to
an IGMP query. The range is from 1000 to 25 500. If no
response is received before the specified time expires and the
FortiGate DR has already sent an IGMP query l ast -
member - quer y- count times, the FortiGate DR removes the
member from the group and sends a prune message to the
associated RP.
1000
quer y- i nt er val
Set the amount of time (in seconds) that a FortiGate DR waits
between sending IGMP queries to determine which members
of a multicast group are active. The range is from 1 to 65 535.
125
220 01-30005-0015-20070803
multicast router
config pim-sm-global
These global settings apply only to sparse mode PIM-enabled interfaces. Global PIM settings do not
override interface-specific PIM settings.
If sparse mode is enabled, you can configure a DR to send multicast packets to a particular RP by
specifying the IP address of the RP through the conf i g r p- addr ess subcommand. The IP address
must be directly accessible to the DR. If multicast packets from more than one multicast group can
pass through the same RP, you can use an access list to specify the associated multicast group
addresses.
quer y- max- r esponse- t i me
<t i me_i nt eger >
Set the maximum amount of time (in seconds) that a
FortiGate DR waits for a member of a multicast group to
respond to an IGMP query. The range is from 1 to 25. If no
response is received before the specified time expires, the
FortiGate DR removes the member from the group.
10
quer y- t i meout
<t i meout _i nt eger >
Set the amount of time (in seconds) that must expire before a
FortiGate unit begins sending IGMP queries to the multicast
group that is managed through the interface. The range is
from 60 to 300. A FortiGate unit begins sending IGMP queries
if it does not receive regular IGMP queries from another DR
through the interface.
255
r out er - al er t - check {
enabl e | di sabl e }
Enable to require the Router Alert option in IGMP packets. di sabl ed
ver si on {1 | 2 | 3} Specify the version number of IGMP to run on the interface.
The value can be 1, 2, or 3. The value must match the version
used by all other PIM routers on the connected network
segment.
3
Note: To send multicast packets to a particular RP using the conf i g r p- addr ess subcommand, the i p-
addr ess keyword is required. All other keywords are optional.
accept - r egi st er - l i st
Cause a FortiGate RP to accept or deny register packets
from the source IP addresses given in the specified access
list. See access-list on page 192.
Null.
bsr - al l ow- qui ck- r ef r esh
Enable or disable accepting bsr quick refresh packets from
neighbors.
di sabl e
bsr - candi dat e {enabl e |
di sabl e}
Enable or disable the FortiGate unit to offer its services as a
Boot Strap Router (BSR) when required.
di sabl e
bsr - pr i or i t y
This keyword is available when bsr - candi dat e is set to
enabl e.
Assign a priority to FortiGate BSR candidacy. The range is
from 0 to 255. The value is compared to that of other BSR
candidates and the candidate having the highest priority is
selected to be the BSR. If two BSR priority values are the
same, the BSR candidate having the highest IP address on
its BSR interface is selected.
0
bsr - i nt er f ace
This keyword is available when bsr - candi dat e is set to
enabl e.
Specify the name of the PIM-enabled interface through
which the FortiGate unit may announce BSR candidacy.
Null.
router multicast
01-30005-0015-20070803 221
bsr - hash <hash_i nt eger > This keyword is available when bsr - candi dat e is set to
enabl e.
Set the length of the mask (in bits) to apply to multicast
group addresses in order to derive a single Rendezvous
Point (RP) for one or more multicast groups. The range is
from 0 to 32. For example, a value of 24 means that the first
24 bits of the group address are significant. All multicast
groups having the same seed hash belong to the same RP.
10
ci sco- cr p- pr ef i x {enabl e
| di sabl e}
Enable or disable a FortiGate RP that has a group prefix
number of 0 to communicate with a Cisco BSR. You may
choose to enable the attribute if required for compatibility
with older Cisco BSRs.
di sabl e
ci sco- i gnor e- r p- set -
pr i or i t y {enabl e |
di sabl e}
Enable or disable a FortiGate BSR to recognize Cisco RP-
SET priority values when deriving a single RP for one or
more multicast groups. You may choose to enable the
attribute if required for compatibility with older Cisco RPs.
di sabl e
ci sco- r egi st er - checksum
Enable or disable performing a register checksum on entire
PIM packets. A register checksum is performed on the
header only by default. You may choose to enable register
checksums on the whole packet for compatibility with older
Cisco IOS routers.
di sabl e
ci sco- r egi st er - checksum-
gr oup <access_l i st _name>
This keyword is available when ci sco- r egi st er -
checksumis set to enabl e.
Identify on which PIM packets to perform a whole-packet
register checksum based on the multicast group addresses
in the specified access list. See access-list on page 192.
You may choose to enable register checksums on entire
PIM packets for compatibility with older Cisco IOS routers.
Null.
message- i nt er val
waits between sending periodic PIM join/prune messages
(sparse mode) or prune messages (dense mode). The value
must be identical to the message interval value set on all
other PIM routers in the PIM domain. The range is from 1 to
65 535.
60
r egi st er - r at e- l i mi t
<r at e_i nt eger >
Set the maximum number of register messages per (S,G)
per second that a FortiGate DR can send for each PIM entry
in the routing table. The range is from 0 to 65 535, where 0
means an unlimited number of register messages per
second.
0
r egi st er - r p- r eachabi l i t y
Enable or disable a FortiGate DR to check if an RP is
accessible prior to sending register messages.
enabl e
r egi st er - sour ce {di sabl e
| i nt er f ace | i p- addr ess}
If the FortiGate unit acts as a DR, enable or disable
changing the IP source address of outbound register
packets to one of the following IP addresses. The IP
address must be accessible to the RP so that the RP can
respond to the IP address with a Register-Stop message:
To retain the IP address of the FortiGate DR interface
that faces the RP, select di sabl e.
To change the IP source address of a register packet to
the IP address of a particular FortiGate interface, select
i nt er f ace. The r egi st er - sour ce- i nt er f ace
attribute specifies the interface name.
To change the IP source address of a register packet to
a particular IP address, select i p- addr ess. The
r egi st er - sour ce- i p attribute specifies the IP
address.
i p- addr ess
r egi st er - sour ce- i nt er f ace
This keyword is available when r egi st er - sour ce is set
to i nt er f ace.
Enter the name of the FortiGate interface.
Null.
222 01-30005-0015-20070803
multicast router
Example
This example shows how to enable a FortiGate unit to support PIM routing in sparse mode and enable
BSR candidacy on the dmz interface:
set mul t i cast - r out i ng enabl e
edi t dmz
set pi m- mode spar se- mode
end
end
conf i g pi m- sm- gl obal
set bsr - candi dat e enabl e
r egi st er - sour ce- i p
<addr ess_i pv4>
This keyword is available when r egi st er - sour ce is set
to addr ess.
Enter the IP source address to include in the register
message.
0. 0. 0. 0
r egi st er - suppr essi on
<suppr ess_i nt eger >
Enter the amount of time (in seconds) that a FortiGate DR
waits to start sending data to an RP after receiving a
Register-Stop message from the RP. The range is from 1 to
65 535.
60
r p- r egi st er - keepal i ve
<keepal i ve_i nt eger >
If the FortiGate unit acts as an RP, set the frequency (in
seconds) with which the FortiGate unit sends keepalive
messages to a DR. The range is from 1 to 65 535. The two
routers exchange keepalive messages to maintain a link for
as long as the source continues to generate traffic.
If the r egi st er - suppr essi on attribute is modified on the
RP and the r p- r egi st er - keepal i ve attribute has never
been set explicitly, the r p- r egi st er - keepal i ve attribute
is set to (3 x r egi st er - suppr essi on) +5 automatically.
185
spt - t hr eshol d {enabl e |
di sabl e}
Enable or disable the FortiGate unit to build a Shortest Path
Tree (SPT) for forwarding multicast packets.
enabl e
spt - t hr eshol d- gr oup
This keyword is available when spt - t hr eshol d is set to
enabl e.
Build an SPT only for the multicast group addresses given in
the specified access list. See access-list on page 192.
Null.
ssm{enabl e | di sabl e} This keyword is available when the IGMP ver si on is set
to 3.
Enable or disable Source Specific Multicast (SSM)
interactions (see RFC 3569).
enabl e
ssm- r ange
This keyword is available when ssmis set to enabl e.
Enable SSM only for the multicast addresses given in the
specified access list. See access-list on page 192. By
default, multicast addresses in the 232.0.0.0 to
232.255.255.255 (232/8) range are used to support SSM
interactions.
Null.
config rp-address variables Applies only when pi m- mode is spar se- mode.
edi t <r p_i d> Enter an ID number for the static RP address entry. The
number must be an integer.
No default.
i p- addr ess <addr ess_i pv4> Specify a static IP address for the RP. 0. 0. 0. 0
gr oup <access_l i st _name> Configure a single static RP for the multicast group
addresses given in the specified access list. See access-
list on page 192. If an RP for any of these group addresses
is already known to the BSR, the static RP address is
ignored and the RP known to the BSR is used instead.
Null.
router multicast
01-30005-0015-20070803 223
set bsr - pr i or i t y 1
set bsr - i nt er f ace dmz
set bsr - hash 24
end
This example shows how to enable RP candidacy on the por t 1 interface for the multicast group
addresses given through an access list named mul t i cast _por t 1:
set mul t i cast - r out i ng enabl e
edi t por t 1
set pi m- mode spar se- mode
set r p- candi dat e enabl e
set r p- candi dat e- gr oup mul t i cast _por t 1
set r p- candi dat e- pr i or i t y 15
end
end
Command history
Related topics
get router info multicast
execute mrouter clear
FortiOS v3.0 New.
224 01-30005-0015-20070803
ospf router
ospf
Use this command to configure Open Shortest Path First (OSPF) protocol settings on the FortiGate
unit. More information on OSPF can be found in RFC 2328.
OSPF is a link state protocol capable of routing larger networks than the simpler distance vector RIP
protocol. An OSPF autonomous system (AS) or routing domain is a group of areas connected to a
backbone area. A router connected to more than one area is an area border router (ABR). Routing
information is contained in a link state database. Routing information is communicated between
routers using link state advertisements (LSAs).
conf i g r out er ospf
set abr - t ype {ci sco | i bm| shor t cut | st andar d}
set aut o- cost - r ef - bandwi dt h <mbps_i nt eger >
set bf d {enabl e | di sabl e | gl obal }
set dat abase- over f l ow {enabl e | di sabl e}
set dat abase- over f l ow- max- l sas <l sas_i nt eger >
set dat abase- over f l ow- t i me- t o- r ecover <seconds_i nt eger >
set def aul t - i nf or mat i on- met r i c <met r i c_i nt eger >
set def aul t - i nf or mat i on- met r i c- t ype {1 | 2}
set def aul t - i nf or mat i on- or i gi nat e {al ways | di sabl e | enabl e}
set def aul t - i nf or mat i on- r out e- map <name_st r >
set def aul t - met r i c <met r i c_i nt eger >
set di st ance <di st ance_i nt eger >
set di st ance- ext er nal <di st ance_i nt eger >
set di st ance- i nt er - ar ea <di st ance_i nt eger >
set di st ance- i nt r a- ar ea <di st ance_i nt eger >
set di st r i but e- l i st - i n <access_l i st _name>
set passi ve- i nt er f ace <name_st r >
set r est ar t - mode {gr acef ul - r est ar t | l l s | none}
set r f c1583- compat i bl e {enabl e | di sabl e}
set r out er - i d <addr ess_i pv4>
set spf - t i mer s <del ay_i nt eger > <hol d_i nt eger >
conf i g ar ea
edi t <ar ea_addr ess_i pv4>
set aut hent i cat i on {md5 | none | t ext }
set def aul t - cost <cost _i nt eger >
set nssa- def aul t - i nf or mat i on- or i gi nat e {enabl e | di sabl e}
set nssa- def aul t - i nf or mat i on- or i gi nat e- met r i c <met r i c>
set nssa- def aul t - i nf or mat i on- or i gi nat e- met r i c- t ype {1 | 2}
set nssa- r edi st r i but i on {enabl e | di sabl e}
set nssa- t r ansl at or - r ol e {al ways | candi dat e | never }
set shor t cut {def aul t | di sabl e | enabl e}
set st ub- t ype {no- summar y | summar y}
set t ype {nssa | r egul ar | st ub}
conf i g f i l t er - l i st
edi t <f i l t er - l i st _i d>
router ospf
01-30005-0015-20070803 225
set di r ect i on {i n | out }
set l i st <name_st r >
end
conf i g r ange
edi t <r ange_i d>
set adver t i se {enabl e | di sabl e}
set subst i t ut e <addr ess_i pv4mask>
set subst i t ut e- st at us {enabl e | di sabl e}
end
conf i g vi r t ual - l i nk
edi t <vl i nk_name>
set aut hent i cat i on- key <passwor d_st r >
set dead- i nt er val <seconds_i nt eger >
set hel l o- i nt er val <seconds_i nt eger >
set md5- key <key_st r >
set peer <addr ess_i pv4>
set r et r ansmi t - i nt er val <seconds_i nt eger >
set t r ansmi t - del ay <seconds_i nt eger >
end
end
conf i g di st r i but e- l i st
edi t <di st r i but e- l i st _i d>
set access- l i st <name_st r >
set pr ot ocol {connect ed | r i p | st at i c}
end
end
conf i g nei ghbor
edi t <nei ghbor _i d>
set cost <cost _i nt eger >
set pol l - i nt er val <seconds_i nt eger >
set pr i or i t y <pr i or i t y_i nt eger >
end
end
conf i g net wor k
set ar ea 
end
end
conf i g ospf - i nt er f ace
edi t <ospf _i nt er f ace_name>
set aut hent i cat i on- key <passwor d_st r >
set
set cost <cost _i nt eger >
set dat abase- f i l t er - out {enabl e | di sabl e}
set dead- i nt er val <seconds_i nt eger >
set hel l o- i nt er val <seconds_i nt eger >
set md5- key <key_st r >
226 01-30005-0015-20070803
ospf router
set mt u <mt u_i nt eger >
set mt u- i gnor e {enabl e | di sabl e}
set net wor k- t ype <t ype>
set r esync- t i meout 
set r et r ansmi t - i nt er val <seconds_i nt eger >
set t r ansmi t - del ay <seconds_i nt eger >
end
end
conf i g r edi st r i but e {bgp | connect ed | st at i c | r i p}
set met r i c <met r i c_i nt eger >
set met r i c- t ype {1 | 2}
set r out emap <name_st r >
set t ag <t ag_i nt eger >
end
conf i g summar y- addr ess
edi t <summar y- addr ess_i d>
set adver t i se {enabl e | di sabl e}
set t ag <t ag_i nt eger >
end
end
end
config router ospf
Use this command to set the router ID of the FortiGate unit. Additional configuration options are
supported.
Note: The r out er - i d keyword is required. All other keywords are optional.
abr - t ype {ci sco | i bm| shor t cut |
st andar d}
Specify the behavior of a FortiGate unit acting as an
OSPF area border router (ABR) when it has multiple
attached areas and has no backbone connection.
Selecting the ABR type compatible with the routers on
your network can reduce or eliminate the need for
configuring and maintaining virtual links. For more
information, see RFC 3509.
st andar d
aut o- cost - r ef - bandwi dt h
<mbps_i nt eger >
Enter the Mbits per second for the reference bandwidth.
Values can range from 1 to 65535.
bf d {enabl e | di sabl e | gl obal } Select one of the Bidirectional Forwarding Detection
(BFD) options for this interface.
enable - start BFD on this interface
disable - stop BFD on this interface
global - use the global settings instead of explicitly
setting BFD per interface.
For the global settings see system bfd
{enable | disable} on page 393.
di sabl e
router ospf
01-30005-0015-20070803 227
dat abase- over f l ow
Enable or disable dynamically limiting link state
database size under overflow conditions. Enable this
command for FortiGate units on a network with routers
that may not be able to maintain a complete link state
database because of limited resources.
di sabl e
dat abase- over f l ow- max- l sas
<l sas_i nt eger >
If you have enabled dat abase- over f l ow, set the limit
for the number of external link state advertisements
(LSAs) that the FortiGate unit can keep in its link state
database before entering the overflow state. The
l sas_i nt eger must be the same on all routers
attached to the OSPF area and the OSPF backbone.
The valid range for l sas_i nt eger is 0 to 4294967294.
10000
dat abase- over f l ow- t i me- t o- r ecover
Enter the time, in seconds, after which the FortiGate unit
will attempt to leave the overflow state. If
seconds_i nt eger is set to 0, the FortiGate unit will
not leave the overflow state until restarted. The valid
range for seconds_i nt eger is 0 to 65535.
300
def aul t - i nf or mat i on- met r i c
<met r i c_i nt eger >
Specify the metric for the default route set by the
def aul t - i nf or mat i on- or i gi nat e command. The
valid range for met r i c_i nt eger is 1 to 16777214.
10
def aul t - i nf or mat i on- met r i c- t ype
{1 | 2}
Specify the OSPF external metric type for the default
route set by the def aul t - i nf or mat i on- or i gi nat e
command.
2
def aul t - i nf or mat i on- or i gi nat e
{al ways | di sabl e | enabl e}
Enter enabl e to advertise a default route into an OSPF
routing domain.
Use al ways to advertise a default route even if the
FortiGate unit does not have a default route in its routing
table.
di sabl e
def aul t - i nf or mat i on- r out e- map
<name_st r >
If you have set def aul t - i nf or mat i on- or i gi nat e
to al ways, and there is no default route in the routing
table, you can configure a route map to define the
parameters that OSPF uses to advertise the default
route.
Null.
def aul t - met r i c <met r i c_i nt eger > Specify the default metric that OSPF should use for
redistributed routes. The valid range for
met r i c_i nt eger is 1 to 16777214.
10
di st ance <di st ance_i nt eger > Configure the administrative distance for all OSPF
routes. Using administrative distance you can specify
the relative priorities of different routes to the same
destination. A lower administrative distance indicates a
more preferred route. The valid range for
di st ance_i nt eger is 1 to 255.
110
di st ance- ext er nal
Change the administrative distance of all external OSPF
routes. The range is from 1 to 255.
110
di st ance- i nt er - ar ea
Change the administrative distance of all inter-area
OSPF routes. The range is from 1 to 255.
110
di st ance- i nt r a- ar ea
Change the administrative distance of all intra-area
OSPF routes. The range is from 1 to 255.
110
di st r i but e- l i st - i n
Limit route updates from the OSPF neighbor based on
the Network Layer Reachability Information (NLRI)
defined in the specified access list. You must create the
access list before it can be selected here. See access-
list on page 192.
Null.
passi ve- i nt er f ace <name_st r > OSPF routing information is not sent or received through
the specified interface.
No
default.
228 01-30005-0015-20070803
ospf router
Example
This example shows how to set the OSPF router ID to 1.1.1.1 for a standard area border router:
set abr - t ype st andar d
set r out er - i d 1. 1. 1. 1
end
config area
Use this subcommand to set OSPF area related parameters. Routers in an OSPF autonomous system
(AS) or routing domain are organized into logical groupings called areas. Areas are linked together by
area border routers (ABRs). There must be a backbone area that all areas can connect to. You can use
a virtual link to connect areas that do not have a physical connection to the backbone. Routers within
an OSPF area maintain link state databases for their own areas.
You can use the conf i g f i l t er - l i st subcommand to control the import and export of LSAs into
and out of an area. See config filter-list variables on page 230. You can use access or prefix lists for
OSPF area filter lists. For more information, see access-list on page 192 and prefix-list on
page 242.
You can use the conf i g r ange subcommand to summarize routes at an area boundary. If the
network numbers in an area are contiguous, the ABR advertises a summary route that includes all the
networks within the area that are within the specified range. See config range variables on page 230.
r est ar t - mode {gr acef ul - r est ar t
| l l s | none}
Select the restart mode from:
graceful-restart - (also known as hitless restart) when
FortiGate unit goes down it advertises to neighbors how
long it will be down to reduce traffic
lls - Enable Link-local Signaling (LLS) mode
none - hitless restart (graceful restart) is disabled
none
r f c1583- compat i bl e
Enable or disable RFC 1583 compatibility. RFC 1583
compatibility should be enabled only when there is
another OSPF router in the network that only supports
RFC 1583.
When RFC 1583 compatibility is enabled, routers
choose the path with the lowest cost. Otherwise, routers
choose the lowest cost intra-area path through a non-
backbone area.
di sabl e
r out er - i d <addr ess_i pv4> Set the router ID. The router ID is a unique number, in IP
address dotted decimal format, that is used to identify an
OSPF router to other OSPF routers within an area. The
router ID should not be changed while OSPF is running.
A router ID of 0.0.0.0 is not allowed.
0. 0. 0. 0
spf - t i mer s <del ay_i nt eger >
<hol d_i nt eger >
Change the default shortest path first (SPF) calculation
delay time and frequency.
The del ay_i nt eger is the time, in seconds, between
when OSPF receives information that will require an
SPF calculation and when it starts an SPF calculation.
The valid range for del ay_i nt eger is 0 to
4294967295.
The hol d_i nt eger is the minimum time, in seconds,
between consecutive SPF calculations. The valid range
for hol d_i nt eger is 0 to 4294967295.
OSPF updates routes more quickly if the SPF timers are
set low; however, this uses more CPU. A setting of 0 for
spf - t i mer s can quickly use up all available CPU.
5 10
router ospf
01-30005-0015-20070803 229
You can configure a virtual link using the conf i g vi r t ual - l i nk subcommand to connect an area
to the backbone when the area has no direct connection to the backbone (see config virtual-link
variables on page 230). A virtual link allows traffic from the area to transit a directly connected area to
reach the backbone. The transit area cannot be a stub area. Virtual links can only be set up between
two ABRs.
Note: If you define a filter list, the di r ect i on and l i st keywords are required. If you define a range, the
pr ef i x keyword is required. If you define a virtual link, the peer keyword is required. All other keywords are
optional.
edi t <ar ea_addr ess_i pv4> Type the IP address of the area. An address of 0.0.0.0
indicates the backbone area.
No default.
aut hent i cat i on {md5 |
none | t ext }
Set the authentication type.
Use the aut hent i cat i on keyword to define the
authentication used for OSPF packets sent and received in
this area. If you select none, no authentication is used. If you
select t ext , the authentication key is sent as plain text. If you
select md5, an authentication key is used to generate an MD5
hash.
Both text mode and MD5 mode only guarantee the
authenticity of the OSPF packet, not the confidentiality of the
information in the packet.
In text mode the key is sent in clear text over the network. Text
mode is usually used only to prevent network problems that
can occur if an unwanted or misconfigured router is
mistakenly added to the area.
If you configure authentication for interfaces, the
authentication configured for the area is not used.
Authentication passwords or keys are defined per interface.
See config ospf-interface on page 234.
none
def aul t - cost
<cost _i nt eger >
Enter the metric to use for the summary default route in a stub
area or not so stubby area (NSSA). A lower default cost
indicates a more preferred route.
The valid range for cost _i nt eger is 1 to 16777214.
10
nssa- def aul t - i nf or mat i on-
or i gi nat e
Enter enabl e to advertise a default route in a not so stubby
area. Affects NSSA ABRs or NSSA Autonomous System
Boundary Routers only.
di sabl e
or i gi nat e- met r i c <met r i c>
Specify the metric (an integer) for the default route set by the
nssa- def aul t - i nf or mat i on- or i gi nat e keyword.
10
or i gi nat e- met r i c- t ype
{1 | 2}
Specify the OSPF external metric type for the default route set
by the nssa- def aul t - i nf or mat i on- or i gi nat e
keyword.
2
nssa- r edi st r i but i on
Enable or disable redistributing routes into a NSSA area. enabl e
nssa- t r ansl at or - r ol e
{al ways | candi dat e |
never }
A NSSA border router can translate the Type 7 LSAs used for
external route information within the NSSA to Type 5 LSAs
used for distributing external route information to other parts
of the OSPF routing domain. Usually a NSSA will have only
one NSSA border router acting as a translator for the NSSA.
You can set the translator role to al ways to ensure this
FortiGate unit always acts as a translator if it is in a NSSA,
even if other routers in the NSSA are also acting as
translators.
You can set the translator role to candi dat e to have this
FortiGate unit participate in the process for electing a
translator for a NSSA.
You can set the translator role to never to ensure this
FortiGate unit never acts as the translator if it is in a NSSA.
candi dat e
230 01-30005-0015-20070803
ospf router
shor t cut {def aul t |
di sabl e | enabl e}
Use this command to specify area shortcut parameters. di sabl e
st ub- t ype
{no- summar y | summar y}
Enter no- summar y to prevent an ABR sending summary
LSAs into a stub area. Enter summar y to allow an ABR to
send summary LSAs into a stub area.
summar y
t ype
{nssa | r egul ar | st ub}
Set the area type:
Select nssa for a not so stubby area.
Select r egul ar for a normal OSPF area.
Select st ub for a stub area.
r egul ar
config filter-list variables
edi t <f i l t er - l i st _i d> Enter an ID number for the filter list. The number must be an
integer.
No default.
di r ect i on {i n | out } Set the direction for the filter. Enter i n to filter incoming
packets. Enter out to filter outgoing packets.
out
l i st <name_st r > Enter the name of the access list or prefix list to use for this
filter list.
Null.
config range variables
edi t <r ange_i d> Enter an ID number for the range. The number must be an
integer in the 0 to 4 294 967 295 range.
No default.
adver t i se
Enable or disable advertising the specified range. enabl e
pr ef i x <addr ess_i pv4mask> Specify the range of addresses to summarize. 0. 0. 0. 0
0. 0. 0. 0
subst i t ut e
Enter a prefix to advertise instead of the prefix defined for the
range. The prefix 0. 0. 0. 0 0. 0. 0. 0 is not allowed.
0. 0. 0. 0
0. 0. 0. 0
subst i t ut e- st at us {enabl e
| di sabl e}
Enable or disable using a substitute prefix. di sabl e
config virtual-link variables
edi t <vl i nk_name> Enter a name for the virtual link. No default.
aut hent i cat i on
{md5 | none | t ext }
Set the authentication type.
authentication used for OSPF packets sent and received over
this virtual link. If you select none, no authentication is used. If
you select t ext , the authentication key is sent as plain text. If
you select md5, an authentication key is used to generate an
MD5 hash.
Both text mode and MD5 mode only guarantee the
authenticity of the OSPF packet, not the confidentiality of the
mode is usually used only to prevent network problems that
can occur if an unwanted or misconfigured router is
mistakenly added to the area.
none
aut hent i cat i on- key
<passwor d_st r >
This keyword is available when aut hent i cat i on is set to
t ext .
Enter the password to use for t ext authentication.
The aut hent i cat i on- key must be the same on both ends
of the virtual link.
The maximum length for the aut hent i cat i on- key is 15
characters.
*
(No default.)
router ospf
01-30005-0015-20070803 231
Example
This example shows how to configure a stub area with the id 15.1.1.1, a stub type of summar y, a
default cost of 20, and MD5 authentication.
conf i g ar ea
edi t 15. 1. 1. 1
set t ype st ub
set st ub- t ype summar y
set def aul t - cost 20
set aut hent i cat i on md5
end
end
This example shows how to use a filter list named acc_l i st 1 to filter packets entering area 15.1.1.1.
conf i g ar ea
edi t 15. 1. 1. 1
conf i g f i l t er - l i st
edi t 1
set di r ect i on i n
set l i st acc_l i st 1
end
end
dead- i nt er val
The time, in seconds, to wait for a hello packet before
declaring a router down. The value of the dead- i nt er val
should be four times the value of the hel l o- i nt er val .
Both ends of the virtual link must use the same value for
dead- i nt er val .
The valid range for seconds_i nt eger is 1 to 65535.
40
The time, in seconds, between hello packets.
Both ends of the virtual link must use the same value for
hel l o- i nt er val .
10
md5- key
<key_st r >
md5.
Enter the key ID and password to use for MD5 authentication.
Both ends of the virtual link must use the same key ID and
key.
The valid range for i d_i nt eger is 1 to 255. key_st r is an
alphanumeric string of up to 16 characters.
No default.
peer <addr ess_i pv4> The router id of the remote ABR.
0. 0. 0. 0 is not allowed.
0. 0. 0. 0
r et r ansmi t - i nt er val
The time, in seconds, to wait before sending a LSA
retransmission. The value for the retransmit interval must be
greater than the expected round-trip delay for a packet. The
valid range for seconds_i nt eger is 1 to 65535.
5
t r ansmi t - del ay
The estimated time, in seconds, required to send a link state
update packet on this virtual link.
OSPF increments the age of the LSAs in the update packet to
account for transmission and propagation delays on the
virtual link.
Increase the value for t r ansmi t - del ay on low speed links.
1
232 01-30005-0015-20070803
ospf router
This example shows how to set the prefix for range 1 of area 15.1.1.1.
conf i g ar ea
edi t 15. 1. 1. 1
conf i g r ange
edi t 1
set pr ef i x 1. 1. 0. 0 255. 255. 0. 0
end
end
This example shows how to configure a virtual link.
conf i g ar ea
edi t 15. 1. 1. 1
conf i g vi r t ual - l i nk
edi t vl nk1
set peer 1. 1. 1. 1
end
end
config distribute-list
Use this subcommand to filter the networks in routing updates using an access list. Routes not
matched by any of the distribution lists will not be advertised.
You must configure the access list that you want the distribution list to use before you configure the
distribution list. To configure an access list, see access-list on page 192.
Example
This example shows how to configure distribution list 2 to use an access list named acc_l i st 1 for all
static routes.
edi t 2
set access- l i st acc_l i st 1
set pr ot ocol st at i c
end
end
Note: The access- l i st and pr ot ocol keywords are required.
edi t <di st r i but e- l i st _i d> Enter an ID number for the distribution list. The number must
be an integer.
No default.
access- l i st <name_st r > Enter the name of the access list to use for this distribution
list.
Null.
pr ot ocol
{connect ed | r i p | st at i c}
Advertise only the routes discovered by the specified protocol
and that are permitted by the named access list.
connect ed
router ospf
01-30005-0015-20070803 233
config neighbor
Use this subcommand to manually configure an OSPF neighbor on non-broadcast networks. OSPF
packets are unicast to the specified neighbor address. You can configure multiple neighbors.
Example
This example shows how to manually add a neighbor.
conf i g nei ghbor
edi t 1
set i p 192. 168. 21. 63
end
end
config network
Use this subcommand to identify the interfaces to include in the specified OSPF area. The pr ef i x
keyword can define one or multiple interfaces.
Example
Use the following command to enable OSPF for the interfaces attached to networks specified by the IP
address 10.0.0.0 and the netmask 255.255.255.0 and to add these interfaces to area 10.1.1.1.
conf i g net wor k
Note: The i p keyword is required. All other keywords are optional.
edi t <nei ghbor _i d> Enter an ID number for the OSPF neighbor. The number must
be an integer.
No default.
bf d
cost <cost _i nt eger > Enter the cost to use for this neighbor. The valid range for
cost _i nt eger is 1 to 65535.
10
i p <addr ess_i pv4> Enter the IP address of the neighbor. 0. 0. 0. 0
pol l - i nt er val
Enter the time, in seconds, between hello packets sent to the
neighbor in the down state. The value of the poll interval must
be larger than the value of the hello interval. The valid range for
seconds_i nt eger is 1 to 65535.
10
pr i or i t y
Enter a priority number for the neighbor. The valid range for
pr i or i t y_i nt eger is 0 to 255.
1
Note: The ar ea and pr ef i x keywords are required.
edi t <net wor k_i d> Enter an ID number for the network. The number must be an
integer.
No default.
ar ea The ID number of the area to be associated with the prefix. 0. 0. 0. 0
pr ef i x <addr ess_i pv4mask> Enter the IP address and netmask for the OSPF network. 0. 0. 0. 0
0. 0. 0. 0
234 01-30005-0015-20070803
ospf router
edi t 2
set ar ea 10. 1. 1. 1
set pr ef i x 10. 0. 0. 0 255. 255. 255. 0
end
end
config ospf-interface
Use this subcommand to change interface related OSPF settings.
Note: The i nt er f ace keyword is required. All other keywords are optional.
edi t
<ospf _i nt er f ace_name>
Enter a descriptive name for this OSPF interface configuration.
To apply this configuration to a FortiGate interface, set the
i nt er f ace <name_st r >attribute.
No default.
aut hent i cat i on
{md5 | none | t ext }
authentication used for OSPF packets sent and received by this
interface. If you select none, no authentication is used. If you
select t ext , the authentication key is sent as plain text. If you
select md5, the authentication key is used to generate an MD5
hash.
Both text mode and MD5 mode only guarantee the authenticity
of the update packet, not the confidentiality of the routing
mode is usually used only to prevent network problems that can
occur if an unwanted or misconfigured router is mistakenly
added to the network.
If you configure authentication for the interface, authentication
for areas is not used.
All routers on the network must use the same authentication
type.
none
aut hent i cat i on- key
<passwor d_st r >
t ext .
Enter the password to use for t ext authentication.
The aut hent i cat i on- key must be the same on all
neighboring routers.
The maximum length for the aut hent i cat i on- key is 15
characters.
*
(No default.)
bf d {enabl e | di sabl e} Select to enable Bi-directional Forwarding Detection (BFD). It is
used to quickly detect hardware problems on the network.
This command enables this service on this interface.
cost <cost _i nt eger > Specify the cost (metric) of the link. The cost is used for shortest
path first calculations.
10
dat abase- f i l t er - out
Enable or disable flooding LSAs out of this interface. di sabl e
dead- i nt er val
The time, in seconds, to wait for a hello packet before declaring
a router down. The value of the dead- i nt er val should be
four times the value of the hel l o- i nt er val .
All routers on the network must use the same value for dead-
i nt er val .
40
The time, in seconds, between hello packets.
All routers on the network must use the same value for hel l o-
i nt er val .
10
router ospf
01-30005-0015-20070803 235
i nt er f ace <name_st r > Enter the name of the interface to associate with this OSPF
configuration. The interface might be a virtual IPSec or GRE
interface.
Null.
i p <addr ess_i pv4> Enter the IP address of the interface named by the i nt er f ace
keyword.
It is possible to apply different OSPF configurations for different
IP addresses defined on the same interface.
The IP address 0. 0. 0. 0 is not allowed.
0. 0. 0. 0
md5- key
 <key_st r >
md5.
Enter the key ID and password to use for MD5 authentication
You can add more than one key ID and key pair per interface.
However, you cannot unset one key without unsetting all of the
keys.
The key ID and key must be the same on all neighboring
routers.
The valid range for i d_i nt eger is 1 to 255. key_st r is an
alphanumeric string of up to 16 characters.
No default.
mt u <mt u_i nt eger > Change the Maximum Transmission Unit (MTU) size included in
database description packets sent out this interface. The valid
range for mt u_i nt eger is 576 to 65535.
1500
mt u- i gnor e
Use this command to control the way OSPF behaves when the
MTU in the sent and received database description packets
does not match.
When mt u- i gnor e is enabled, OSPF will stop detecting
mismatched MTUs and go ahead and form an adjacency.
When mt u- i gnor e is disabled, OSPF will detect mismatched
MTUs and not form an adjacency.
mt u- i gnor e should only be enabled if it is not possible to
reconfigure the MTUs so that they match.
di sabl e
net wor k- t ype <t ype> Specify the type of network to which the interface is connected.
OSPF supports four different types of network. This command
specifies the behavior of the OSPF interface according to the
network type, one of:
br oadcast
non- br oadcast
poi nt - t o- mul t i poi nt
poi nt - t o- poi nt
If you specify non- br oadcast , you must also configure
neighbors using config neighbor on page 113.
br oadcast
pr i or i t y
Set the router priority for this interface.
Router priority is used during the election of a designated router
(DR) and backup designated router (BDR).
An interface with router priority set to 0 can not be elected DR or
BDR. The interface with the highest router priority wins the
election. If there is a tie for router priority, router ID is used.
Point-to-point networks do not elect a DR or BDR; therefore,
this setting has no effect on a point-to-point network.
The valid range for pr i or i t y_i nt eger is 0 to 255.
1
r esync- t i meout

Enter the synchronizing timeout for graceful restart interval.
This is the period for this interface to synchronize with a
neighbor.
40
r et r ansmi t - i nt er val
The time, in seconds, to wait before sending a LSA
retransmission. The value for the retransmit interval must be
greater than the expected round-trip delay for a packet. The
valid range for seconds_i nt eger is 1 to 65535.
5
236 01-30005-0015-20070803
ospf router
Example
This example shows how to assign an OSPF interface configuration named t est to the interface
named i nt er nal and how to configure text authentication for this interface.
conf i g ospf - i nt er f ace
edi t t est
set i p 192. 168. 20. 3
set aut hent i cat i on t ext
set aut hent i cat i on- key a2b3c4d5e
end
end
config redistribute
Use this subcommand to redistribute routes learned from BGP, RIP, static routes, or a direct
connection to the destination network.
The OSPF redistribution table contains four static entries. You cannot add entries to the table. The
entries are defined as follows:
bgpRedistribute routes learned from BGP.
r i pRedistribute routes learned from RIP.
conf i g r edi st r i but e {bgp | connect ed | st at i c | r i p}).
st at us
Enable or disable OSPF on this interface. enabl e
t r ansmi t - del ay
The estimated time, in seconds, required to send a link state
update packet on this interface.
OSPF increments the age of the LSAs in the update packet to
account for transmission and propagation delays on the
interface.
Increase the value for t r ansmi t - del ay on low speed links.
1
met r i c <met r i c_i nt eger > Enter the metric to be used for the redistributed routes. The
met r i c_i nt eger range is from 1 to 16777214.
10
met r i c- t ype {1 | 2} Specify the external link type to be used for the redistributed
routes.
2
r out emap <name_st r > Enter the name of the route map to use for the redistributed
routes. For information on how to configure route maps, see
route-map on page 253.
Null.
st at us {enabl e | di sabl e} Enable or disable redistributing routes. di sabl e
t ag <t ag_i nt eger > Specify a tag for redistributed routes.
The valid range for t ag_i nt eger is 0 to 4294967295.
0
router ospf
01-30005-0015-20070803 237
Example
This example shows how to enable route redistribution from RIP, using a metric of 3 and a route map
named r t mp2.
conf i g r edi st r i but e r i p
set met r i c 3
set r out emap r t mp2
end
config summary-address
Use this subcommand to summarize external routes for redistribution into OSPF. This command works
only for summarizing external routes on an Autonomous System Boundary Router (ASBR). For
information on summarization between areas, see config range variables on page 230. By replacing
the LSAs for each route with one aggregate route, you reduce the size of the OSPF link-state
database.
Example
This example shows how to summarize routes using the prefix 10.0.0.0 255.0.0.0.
conf i g summar y- addr ess
edi t 5
set pr ef i x 10. 0. 0. 0 255. 0. 0. 0
end
end
Command history
edi t <summar y- addr ess_i d> Enter an ID number for the summary address. The number
must be an integer.
No default.
adver t i se
Advertise or suppress the summary route that matches the
specified prefix.
enabl e
pr ef i x <addr ess_i pv4mask> Enter the prefix (IP address and netmask) to use for the
summary route. The prefix 0. 0. 0. 0 0. 0. 0. 0 is not allowed.
0. 0. 0. 0
0. 0. 0. 0
t ag <t ag_i nt eger > Specify a tag for the summary route.
The valid range for t ag_i nt eger is 0 to 4294967295.
0
FortiOS v2.80 New.
FortiOS v3.0 Added di st ance- ext er nal , di st ance- i nt er - ar ea, di st ance- i nt r a- ar ea, and
di st r i but e- l i st - i n keywords. Changed default value of abr - t ype attribute to
st andar d.
FortiOS v3.0 MR4 Added bf d, r est ar t - mode, r esynch- t i meout , and r est ar t - per i od keywords.
238 01-30005-0015-20070803
ospf router
Related topics
router access-list
get router info ospf
get router info protocols
get router info routing-table
router prefix-list
router route-map
router policy
01-30005-0015-20070803 239
policy
Use this command to add, move, edit or delete a route policy. When you create a policy route, any
packets that match the policy are forwarded to the IP address of the next-hop gateway through the
specified outbound interface.
You can configure the FortiGate unit to route packets based on:
a source address
a protocol, service type, or port range
the inbound interface
When the FortiGate unit receives a packet, it starts at the top of the policy routing list and attempts to
match the packet with a policy in ascending order. If no packets match the policy route, the FortiGate
unit routes the packet using the routing table. Route policies are processed before static routing. You
can change the order of policy routes using the move command. See config branch on page 34.
conf i g r out er pol i cy
move <seq- num1> {bef or e | af t er } <seq- num2>
edi t <pol i cy_i nt eger >
set dst <dest - addr ess_i pv4mask>
set end- por t <por t _i nt eger >
set gat eway <addr ess_i pv4>
set i nput - devi ce 
set out put - devi ce 
set pr ot ocol <pr ot ocol _i nt eger >
set sr c <sour ce- addr ess_i pv4mask>
set st ar t - por t <por t _i nt eger >
end
Note: For static routing, any number of static routes can be defined for the same destination. When multiple
routes for the same destination exist, the FortiGate unit chooses the route having the lowest administrative
distance. Route redundancy is not available for policy routing: any packets that match a route policy are forwarded
according to the route specified in the policy.
Note: The i nput - devi ce keyword is required. All other keywords are optional.
move <seq- num1>
{bef or e | af t er } <seq- num2>
Move one policy before or after another. No default.
edi t <pol i cy_i nt eger > Enter an ID number for the route policy. The number must
be an integer.
No default.
dst <dest - addr ess_i pv4mask> Match packets that have this destination IP address and
netmask.
0. 0. 0. 0
0. 0. 0. 0
end- por t <por t _i nt eger > The end port number of a port range for a policy route.
Match packets that have this destination port range. You
must configure both the st ar t - por t and end- por t
keywords for destination-port-range matching to take
effect. To specify a range, the st ar t - por t value must be
lower than the end- por t value. To specify a single port,
the st ar t - por t value must be identical to the end- por t
value. The por t _i nt eger range is 0 to 65 535.
65 535
gat eway <addr ess_i pv4> Send packets that match the policy to this next hop router. 0. 0. 0. 0
240 01-30005-0015-20070803
policy router
Example
If a FortiGate unit provides Internet access for multiple internal subnets, you can use policy routing to
control the route that traffic from each network takes to the Internet. For example, if the internal
network includes the subnets 192.168.10.0 and 192.168.20.0 you can enter the following route
policies:
Enter the following command to route traffic from the 192. 168. 10. 0 subnet to the
100. 100. 100. 0 subnet. Force the packets to the next hop gateway at IP address 1. 1. 1. 1
through the interface named ext er nal .
edi t 1
set i nput - devi ce i nt er nal
set sr c 192. 168. 10. 0 255. 255. 255. 0
set dst 100. 100. 100. 0 255. 255. 255. 0
set out put - devi ce ext er nal
set gat eway 1. 1. 1. 1
end
Enter the following command to route traffic from the 192. 168. 20. 0 subnet to the 200.200.200.0
subnet. Force the packets to the next hop gateway at IP address 2. 2. 2. 1 through the interface
named ext er nal .
edi t 2
set sr c 192. 168. 20. 0 255. 255. 255. 0
set dst 200. 200. 200. 0 255. 255. 255. 0
end
Enter the following command to direct all HTTP traffic using port 80 to the next hop gateway at IP
address 1. 1. 1. 1.
edi t 1
set sr c 0. 0. 0. 0 0. 0. 0. 0
set dst 0. 0. 0. 0 0. 0. 0. 0
i nput - devi ce
Match packets that are received on this interface. Null.
out put - devi ce
Send packets that match the policy out this interface. Null.
pr ot ocol <pr ot ocol _i nt eger > Match packets that have this protocol number. The range is
0 to 255.
0
sr c
<sour ce- addr ess_i pv4mask>
Match packets that have this source IP address and
netmask.
0. 0. 0. 0
0. 0. 0. 0
st ar t - por t <por t _i nt eger > The start port number of a port range for a policy route.
Match packets that have this destination port range. You
must configure both the st ar t - por t and end- por t
keywords for destination-port-range matching to take
effect. To specify a range, the st ar t - por t value must be
lower than the end- por t value. To specify a single port,
the st ar t - por t value must be identical to the end- por t
value. The por t _i nt eger range is 0 to 65 535.
1
router policy
01-30005-0015-20070803 241
set pr ot ocol 6
set st ar t - por t 80
set end- por t 80
end
Enter the following command to direct all other traffic to the next hop gateway at IP address
2. 2. 2. 1.
edi t 2
set sr c 0. 0. 0. 0 0. 0. 0. 0
set dst 0. 0. 0. 0 0. 0. 0. 0
end
Command history
Related topics
router static
FortiOS v3.0 Replaced all underscore characters in keywords with hyphens. Changed default st ar t -
poi nt number to 1. Changed default end- poi nt number to 65535.
242 01-30005-0015-20070803
prefix-list router
prefix-list
Use this command to add, edit, or delete prefix lists. A prefix list is an enhanced version of an access
list that allows you to control the length of the prefix netmask.
Each rule in a prefix list consists of a prefix (IP address and netmask), the action to take for this prefix
(permit or deny), and maximum and minimum prefix length settings.
The FortiGate unit attempts to match a packet against the rules in a prefix list starting at the top of the
list. If it finds a match for the prefix it takes the action specified for that prefix. If no match is found the
default action is deny. A prefix-list should be used to match the default route 0.0.0.0/0.
For a prefix list to take effect, it must be called by another FortiGate routing feature such as RIP or
OSPF.
conf i g r out er pr ef i x- l i st
edi t <pr ef i x_l i st _name>
set comment s <st r i ng>
conf i g r ul e
edi t <pr ef i x_r ul e_i d>
set ge <l engt h_i nt eger >
set l e <l engt h_i nt eger >
set pr ef i x {<addr ess_i pv4mask> | any}
end
end
Note: The act i on and pr ef i x keywords are required. All other keywords are optional.
edi t <pr ef i x_l i st _name> Enter a name for the prefix list. A prefix list and an access list
cannot have the same name.
No default.
edi t <pr ef i x_r ul e_i d> Enter an entry number for the rule. The number must be an
integer.
No default.
act i on {deny | per mi t } Set the action to take for this prefix. per mi t
comment s <st r i ng> Enter a description of this access list entry. The description
ge <l engt h_i nt eger > Match prefix lengths that are greater than or equal to this
number. The setting for ge should be less than the setting for
l e. The setting for ge should be greater than the netmask set
for pr ef i x. l engt h_i nt eger can be any number from 0 to
32.
0
l e <l engt h_i nt eger > Match prefix lengths that are less than or equal to this number.
The setting for l e should be greater than the setting for ge.
l engt h_i nt eger can be any number from 0 to 32.
32
pr ef i x
{<addr ess_i pv4mask> | any}
Enter the prefix (IP address and netmask) for this prefix list
rule or enter any to match any prefix. The length of the
netmask should be less than the setting for ge. If prefix is set
to any, ge and l e should not be set.
0. 0. 0. 0
0. 0. 0. 0
router prefix-list
01-30005-0015-20070803 243
Examples
This example shows how to add a prefix list named pr f _l i st 1 with three rules. The first rule permits
subnets that match prefix lengths between 26 and 30 for the prefix 192. 168. 100. 0
255. 255. 255. 0. The second rule denies subnets that match the prefix lengths between 20 and 25
for the prefix 10. 1. 0. 0 255. 255. 0. 0. The third rule denies all other traffic.
edi t pr f _l i st 1
conf i g r ul e
edi t 1
set pr ef i x 192. 168. 100. 0 255. 255. 255. 0
set ge 26
set l e 30
next
edi t 2
set pr ef i x 10. 1. 0. 0 255. 255. 0. 0
set act i on deny
set ge 20
set l e 25
next
edi t 3
set pr ef i x any
set act i on deny
end
end
The following example shows how to create a prefix-list that will drop the default route but allow all
other prefixes to be passed. The first rule matches the default route only and is set to deny, the second
rule will match all other prefixes and allow them to be passed.
edi t " dr op_def aul t "
conf i g r ul e
edi t 1
set act i on deny
set pr ef i x 0. 0. 0. 0 0. 0. 0. 0
unset ge
unset l e
next
edi t 2
set pr ef i x any
unset ge
unset l e
next
end
next
end
244 01-30005-0015-20070803
prefix-list router
Command history
Related topics
router access-list
router rip
FortiOS v2.80 New.
FortiOS v2.80 MR2 Changed default for l e from 0 to 32.
FortiOS v3.0 MR4 Added second example.
router rip
01-30005-0015-20070803 245
rip
Use this command to configure the Routing Information Protocol (RIP) on the FortiGate unit. RIP is a
distance-vector routing protocol intended for small, relatively homogeneous, networks. RIP uses hop
count as its routing metric. Each network is usually counted as one hop. The network diameter is
limited to 15 hops with 16 hops.
conf i g r out er r i p
set def aul t - i nf or mat i on- or i gi nat e {enabl e | di sabl e}
set def aul t - met r i c <met r i c_i nt eger >
set gar bage- t i mer <t i mer _i nt eger >
set passi ve- i nt er f ace <name_st r >
set t i meout - t i mer <t i mer _i nt eger >
set updat e- t i mer <t i mer _i nt eger >
set ver si on {1 2}
conf i g di st ance
edi t <di st ance_i d>
set di st ance <di st ance_i nt eger >
end
edi t <di st r i but e_l i st _i d>
set l i st name <access/ pr ef i x- l i st name_st r >
end
set aut h- keychai n <name_st r >
set aut h- mode {none | t ext | md5}
set aut h- st r i ng <passwor d_st r >
set r ecei ve- ver si on {1 2}
set send- ver si on {1 2}
set send- ver si on1- compat i bl e {enabl e | di sabl e}
set spl i t - hor i zon {poi soned | r egul ar }
set spl i t - hor i zon- st at us {enabl e | di sabl e}
end
conf i g nei ghbor
edi t <nei ghbor _i d>
end
conf i g net wor k
end
conf i g of f set - l i st
edi t <of f set _l i st _i d>
246 01-30005-0015-20070803
rip router
set of f set <met r i c_i nt eger >
end
conf i g r edi st r i but e {connect ed | st at i c | ospf | bgp}
set met r i c <met r i c_i nt eger >
set r out emap <name_st r >
end
config router rip
Use this command to specify RIP operating parameters. The FortiGate implementation of RIP supports
both RIP version 1 as defined by RFC 1058, and RIP version 2 as defined by RFC 2453. RIP version 2
enables RIP messages to carry more information, and to support simple authentication and subnet
masks.
def aul t - i nf or mat i on- or i gi nat e
Enter enabl e to advertise a default static route into RIP. di sabl e
def aul t - met r i c
For non-default routes in the static routing table and directly
connected networks the default metric is the metric that the
FortiGate unit advertises to adjacent routers. This metric is
added to the metrics of learned routes. The default metric can
be a number from 1 to 16.
1
gar bage- t i mer
<t i mer _i nt eger >
The time in seconds that must elapse after the timeout interval
for a route expires, before RIP deletes the route. If RIP receives
an update for the route after the timeout timer expires but before
the garbage timer expires then the entry is switched back to
reachable.
RIP timer defaults are effective in most configurations. All
routers and access servers in the network should have the
same RIP timer settings.
120
passi ve- i nt er f ace
<name_st r >
Block RIP broadcasts on the specified interface. You can use
config neighbor on page 250 and the passive interface
command to allow RIP to send unicast updates to the specified
neighbor while blocking broadcast updates on the specified
interface.
No
default.
t i meout - t i mer
The time interval in seconds after which a route is declared
unreachable. The route is removed from the routing table. RIP
holds the route until the garbage timer expires and then deletes
the route. If RIP receives an update for the route before the
timeout timer expires, then the timeout-timer is restarted. If RIP
receives an update for the route after the timeout timer expires
but before the garbage timer expires then the entry is switched
back to reachable. The value of the timeout timer should be at
least three times the value of the update timer.
180
router rip
01-30005-0015-20070803 247
Example
This example shows how to enable the advertising of a default static route into RIP, enable the sending
and receiving of RIP version 1 packets, and set the default metric to 5:
set def aul t - i nf or mat i on- or i gi nat e enabl e
set ver si on 1
set def aul t - met r i c 5
end
config distance
Use this subcommand to specify an administrative distance. When different routing protocols provide
multiple routes to the same destination, the administrative distance sets the priority of those routes.
The lowest administrative distance indicates the preferred route. If you specify a prefix, RIP uses the
specified distance when the source IP address of a packet matches the prefix.
Example
This example shows how to change the administrative distance to 10.
conf i g di st ance
edi t 1
set di st ance 10
end
end
updat e- t i mer
The time interval in seconds between RIP updates.
30
ver si on {1 2} Enable sending and receiving RIP version 1 packets, RIP
version 2 packets, or both for all RIP-enabled interfaces. You
can override this setting on a per interface basis using the
receive-version {1 2}and send-version {1 2}keywords described
under config interface on page 248.
2
Note: The di st ance keyword is required. All other keywords are optional.
edi t <di st ance_i d> Enter an entry number for the distance. The number must be
an integer.
No default.
access- l i st <name_st r > Enter the name of an access list. The distances associated
with the routes in the access list will be modified. To create an
access list, see access-list on page 192.
Null.
di st ance
Enter a number from 1 to 255, to set the administrative
distance.
0
pr ef i x
Optionally enter a prefix to apply the administrative distance to. 0. 0. 0. 0
0. 0. 0. 0
248 01-30005-0015-20070803
rip router
config distribute-list
Use this subcommand to filter incoming or outgoing updates using an access list or a prefix list. If you
do not specify an interface the filter will be applied to all interfaces. You must configure the access list
or prefix list that you want the distribution list to use before you configure the distribution list. For more
information on configuring access lists and prefix lists, see access-list on page 192 and prefix-list on
page 242.
Example
This example shows how to configure and enable distribution list 2 to use an access list named
acc_l i st 1 on incoming updates on the ext er nal interface.
edi t 2
set i nt er f ace ext er nal
set l i st name acc_l i st 1
end
end
config interface
Use this subcommand to configure RIP version 2 authentication, RIP version send and receive for the
specified interface, and to configure and enable split horizon.
Authentication is only available for RIP version 2 packets sent and received by an interface. You must
set aut h- mode to none when r ecei ve- ver si on or send- ver si on are set to 1 or 1 2 (both are
set to 1 by default).
Note: The di r ect i on and l i st name keywords are required. All other keywords are optional.
edi t <di st r i but e_l i st _i d> Enter an entry number for the distribution list. The number
must be an integer.
No default.
di r ect i on {i n | out } Set the direction for the filter. Enter i n to filter incoming
packets. Enter out to filter outgoing packets.
out
i nt er f ace <name_st r > Enter the name of the interface to apply this distribution list to.
If you do not specify an interface, this distribution list will be
used for all interfaces.
Null.
l i st name
<access/ pr ef i x- l i st name_st r >
Enter the name of the access list or prefix list to use for this
distribution list.
Null.
st at us {enabl e | di sabl e} Enable or disable this distribution list. di sabl e
router rip
01-30005-0015-20070803 249
edi t Type the name of the FortiGate interface that is linked to the RIP
network. The interface might be a virtual IPSec or GRE interface.
No default.
aut h- keychai n
<name_st r >
Enter the name of the key chain to use for authentication for RIP
version 2 packets sent and received by this interface. Use key
chains when you want to configure multiple keys. For information
on how to configure key chains, see key-chain on page 212.
Null.
aut h- mode
{none | t ext | md5}
Use the aut h- mode keyword to define the authentication used
for RIP version 2 packets sent and received by this interface. If
you select none, no authentication is used. If you select t ext ,
the authentication key is sent as plain text. If you select md5, the
authentication key is used to generate an MD5 hash.
Both text mode and MD5 mode only guarantee the authenticity of
the update packet, not the confidentiality of the routing
mode is usually used only to prevent network problems that can
occur if an unwanted or misconfigured router is mistakenly added
to the network.
Use the aut h- st r i ng keyword to specify the key.
none
aut h- st r i ng
<passwor d_st r >
Enter a single key to use for authentication for RIP version 2
packets sent and received by this interface. Use aut h- st r i ng
when you only want to configure one key. The key can be up to
35 characters long.
Null.
r ecei ve- ver si on {1 2} RIP routing messages are UDP packets that use port 520.
Enter 1 to configure RIP to listen for RIP version 1 messages on
an interface.
Enter 2 to configure RIP to listen for RIP version 2 messages on
an interface.
Enter 1 2 to configure RIP to listen for both RIP version 1 and
RIP version 2 messages on an interface.
No default.
send- ver si on {1 2} RIP routing messages are UDP packets that use port 520.
Enter 1 to configure RIP to send RIP version 1 messages from an
interface.
Enter 2 to configure RIP to send RIP version 2 messages from an
interface.
Enter 1 2 to configure RIP to send both RIP version 1 and RIP
version 2 messages from an interface.
No default.
send- ver si on1- compat i bl e
Enable or disable sending broadcast updates from an interface
configured for RIP version 2.
RIP version 2 normally multicasts updates. RIP version 1 can
only receive broadcast updates.
di sabl e
spl i t - hor i zon
{poi soned | r egul ar }
Configure RIP to use either regular or poisoned split horizon on
this interface.
Select r egul ar to prevent RIP from sending updates for a route
back out the interface from which it received that route.
Select poi soned to send updates with routes learned on an
interface back out the same interface but with the routes marked
as unreachable.
poi soned
spl i t - hor i zon- st at us
Enable or disable split horizon for this interface. Split horizon is
enabled by default.
Disable split horizon only if there is no possibility of creating a
counting to infinity loop when network topology changes.
enabl e
250 01-30005-0015-20070803
rip router
Example
This example shows how to configure the external interface to send and receive RIP version 2, to use
MD5 authentication, and to use a key chain called t est 1.
edi t ext er nal
set r ecei ve- ver si on 2
set send- ver si on 2
set aut h- mode md5
set aut h- keychai n t est 1
end
end
config neighbor
Use this subcommand to enable RIP to send unicast routing updates to the router at the specified
address. You can use the nei ghbor subcommand and passive-interface <name_str> on page 246
to allow RIP to send unicast updates to the specified neighbor while blocking broadcast updates on the
specified interface. You can configure multiple neighbors.
Example
This example shows how to specify that the router at 192.168.21.20 is a neighbor.
conf i g nei ghbor
edi t 1
set i p 192. 168. 21. 20
end
end
config network
Use this subcommand to identify the networks for which to send and receive RIP updates. If a network
is not specified, interfaces in that network will not be advertised in RIP updates.
Note: The i p keyword is required. All other keywords are optional.
edi t <nei ghbor _i d> Enter an entry number for the RIP neighbor. The number must
be an integer.
No default.
i p <addr ess_i pv4> Enter the IP address of the neighboring router to which to send
unicast updates.
0. 0. 0. 0
Note: The pr ef i x keyword is optional.
edi t <net wor k_i d> Enter an entry number for the RIP network. The number must
be an integer.
No default.
pr ef i x <addr ess_i pv4mask> Enter the IP address and netmask for the RIP network. 0. 0. 0. 0
0. 0. 0. 0
router rip
01-30005-0015-20070803 251
Example
Use the following command to enable RIP for the interfaces attached to networks specified by the IP
address 10.0.0.0 and the netmask 255.255.255.0.
conf i g net wor k
edi t 2
set pr ef i x 10. 0. 0. 0 255. 255. 255. 0
end
end
config offset-list
Use this subcommand to add the specified offset to the metric (hop count) of a route from the offset
list.
Example
This example shows how to configure and enable offset list number 5 that adds a metric of 3 to
incoming routes that match the access list named acc_l i st 1 on the external interface.
conf i g of f set - l i st
edi t 5
set access- l i st acc_l i st 1
set i nt er f ace ext er nal
set of f set 3
end
end
Note: The access- l i st , di r ect i on, and of f set keywords are required. All other keywords are
optional.
edi t <of f set _l i st _i d> Enter an entry number for the offset list. The number must be an
integer.
No default.
access- l i st <name_st r > Enter the name of the access list to use for this offset list. The
access list is used to determine which routes to add the metric
to.
Null.
di r ect i on {i n | out } Enter i n to apply the offset to the metrics of incoming routes.
Enter out to apply the offset to the metrics of outgoing routes.
out
i nt er f ace <name_st r > Enter the name of the interface to match for this offset list. Null.
of f set <met r i c_i nt eger > Enter the offset number to add to the metric. The metric is the
hop count. The met r i c_i nt eger range is from 1 to 16, with 16
being unreachable.
0
st at us {enabl e | di sabl e} Enable or disable this offset list. di sabl e
252 01-30005-0015-20070803
rip router
config redistribute
Use this subcommand to redistribute routes learned from OSPF, BGP, static routes, or a direct
connection to the destination network.
The RIP redistribution table contains four static entries. You cannot add entries to the table. The entries
are defined as follows:
bgpRedistribute routes learned from BGP.
ospf Redistribute routes learned from OSPF.
conf i g r edi st r i but e {bgp | connect ed | ospf | st at i c}).
Example
This example shows how to enable route redistribution from OSPF, using a metric of 3 and a route map
named r t mp2.
conf i g r edi st r i but e ospf
set met r i c 3
set r out emap r t mp2
end
Command history
Related topics
router access-list
router key-chain
router prefix-list
router route-map
get router info rip
met r i c <met r i c_i nt eger > Enter the metric value to be used for the redistributed routes. The
met r i c_i nt eger range is from 0 to 16.
0
r out emap <name_st r > Enter the name of the route map to use for the redistributed
routes. For information on how to configure route maps, see
route-map on page 253.
Null.
st at us {enabl e | di sabl e} Enable or disable redistributing routes. di sabl e
FortiOS v2.80 MR7 Added access- l i st keyword to conf i g di st ance subcommand.
router route-map
01-30005-0015-20070803 253
route-map
Use this command to add, edit, or delete route maps. To use the command to limit the number of
received or advertised BGP route and routing updates using route maps, see Using route maps with
BGP on page 255.
Route maps provide a way for the FortiGate unit to evaluate optimum routes for forwarding packets or
suppressing the routing of packets to particular destinations. Compared to access lists, route maps
support enhanced packet-matching criteria. In addition, route maps can be configured to permit or
deny the addition of routes to the FortiGate routing table and make changes to routing information
dynamically as defined through route-map rules.
The FortiGate unit compares the rules in a route map to the attributes of a route. The rules are
examined in ascending order until one or more of the rules in the route map are found to match one or
more of the route attributes:
When a single matching mat ch- * rule is found, changes to the routing information are made as
defined through the rules set - i p- next hop, set - met r i c, set - met r i c- t ype, and/or set -
t ag settings.
If no matching rule is found, no changes are made to the routing information.
When more than one mat ch- * rule is defined, all of the defined mat ch- * rules must evaluate to
TRUE or the routing information is not changed.
If no mat ch- * rules are defined, the FortiGate unit makes changes to the routing information only
when all of the default mat ch- * rules happen to match the attributes of the route.
The default rule in the route map (which the FortiGate unit applies last) denies all routes. For a route
map to take effect, it must be called by a FortiGate routing process.
edi t <r out e_map_name>
conf i g r ul e
edi t <r out e_map_r ul e_i d>
set mat ch- i nt er f ace <name_st r >
set mat ch- i p- addr ess <access/ pr ef i x- l i st name_st r >
set mat ch- i p- next hop <access/ pr ef i x- l i st name_st r >
set mat ch- met r i c <met r i c_i nt eger >
set mat ch- r out e- t ype {1 | 2}
set mat ch- t ag <t ag_i nt eger >
set set - i p- next hop <addr ess_i pv4>
set set - met r i c <met r i c_i nt eger >
set set - met r i c- t ype {1 | 2}
set set - t ag <t ag_i nt eger >
end
end
254 01-30005-0015-20070803
route-map router
Example
This example shows how to add a route map list named r t mp2 with two rules. The first rule denies
routes that match the IP addresses in an access list named acc_l i st 2. The second rule permits
routes that match a metric of 2 and changes the metric to 4.
edi t r t mp2
conf i g r ul e
edi t 1
set mat ch- i p- addr ess acc_l i st 2
set act i on deny
next
edi t 2
set mat ch- met r i c 2
set set - met r i c 4
end
end
edi t <r out e_map_name> Enter a name for the route map. No default.
edi t <r out e_map_r ul e_i d> Enter an entry number for the rule. The number
must be an integer.
No default.
act i on {deny | per mi t } Enter per mi t to permit routes that match this rule.
Enter deny to deny routes that match this rule.
per mi t
mat ch- i nt er f ace <name_st r > Enter the name of the local FortiGate interface that
will be used to match route interfaces.
Null.
mat ch- i p- addr ess
Match a route if the destination address is included
in the specified access list or prefix list.
Null.
mat ch- i p- next hop
Match a route that has a next-hop router address
included in the specified access list or prefix list.
Null.
mat ch- met r i c
Match a route with the specified metric. The metric
can be a number from 1 to 16.
0
mat ch- r out e- t ype {1 | 2} Match a route that has the external type set to 1 or
2.
ext er nal - t ype1
mat ch- t ag <t ag_i nt eger > This keyword is available when set - t ag is set.
Match a route that has the specified tag.
0
set - i p- next hop
<addr ess_i pv4>
Set the next-hop router address for a matched
route.
0. 0. 0. 0
set - met r i c <met r i c_i nt eger > Set a metric value of 1 to 16 for a matched route. 0
set - met r i c- t ype {1 | 2} Set the type for a matched route. ext er nal - t ype1
set - t ag <t ag_i nt eger > Set a tag value for a matched route. 0
router route-map
01-30005-0015-20070803 255
When a connection is established between BGP peers, the two peers exchange all of their BGP route
entries. Afterward, they exchange updates that only include changes to the existing routing
information. Several BGP entries may be present in a route-map table. You can limit the number of
received or advertised BGP route and routing updates using route maps. Use the conf i g r out er
r out e- map command to create, edit, or delete a route map.
edi t <r out e_map_name>
conf i g r ul e
edi t <r out e_map_r ul e_i d>
set mat ch- as- pat h <aspat h- l i st - name_st r >
set mat ch- communi t y <communi t y- l i st - name_st r >
set mat ch- communi t y- exact {enabl e | di sabl e}
set mat ch- or i gi n {egp | i gp | i ncompl et e | none}
set set - aggr egat or - as 
set set - aggr egat or - i p <addr ess_i pv4>
set set - aspat h . . .
set set - at omi c- aggr egat e {enabl e | di sabl e}
set set - communi t y- del et e <communi t y- l i st - name_st r >
set set - communi t y <cr i t er i a>
set set - communi t y- addi t i ve {enabl e | di sabl e}
set set - dampeni ng- r eachabi l i t y- hal f - l i f e <mi nut es>
set set - dampeni ng- r euse <r euse_i nt eger >
set set - dampeni ng- suppr ess <suppr ess_i nt eger >
set set - dampeni ng- max- suppr ess <mi nut es>
set set - dampeni ng- unr eachabi l i t y- hal f - l i f e <mi nut es>
set set - ext communi t y- r t <AA: NN> <AA: NN> <AA: NN> . . .
set set - ext communi t y- soo <AA: NN> <AA: NN> <AA: NN> . . .
set set - l ocal - pr ef er ence <pr ef er ence_i nt eger >
set set - or i gi nat or - i d <addr ess_i pv4>
set set - or i gi n {egp | i gp | i ncompl et e | none}
set set - wei ght <wei ght _i nt eger >
end
Note: When you specify a route map for the dampeni ng- r out e- map value through the conf i g r out er bgp
command (see dampeni ng- r out e- map <r out emap- name_st r > on page 200), the FortiGate unit ignores
global dampening settings. You cannot set global dampening settings for the FortiGate unit and then override
those values through a route map.
256 01-30005-0015-20070803
route-map router
edi t <r out e_map_name> Enter a name for the route map. No default.
edi t <r out e_map_r ul e_i d> Enter an entry number for the rule. The number must be an
integer.
No default.
mat ch- as- pat h
Enter the AS-path list name that will be used to match BGP
route prefixes. You must create the AS-path list before it
Null.
mat ch- communi t y
<communi t y- l i st - name_st r >
Enter the community list name that will be used to match
BGP routes according to their COMMUNITY attributes.
You must create the community list before it can be
selected here. See community-list on page 209.
Null.
mat ch- communi t y- exact
This keyword is available when mat ch- communi t y is set.
Enable or disable an exact match of the BGP route
community specified by the mat ch- communi t y keyword.
di sabl e
mat ch- or i gi n {egp | i gp |
i ncompl et e | none}
Enter a value to compare to the ORIGIN attribute of a
routing update:
To compare the NLRI learned from the Exterior Gateway
Protocol (EGP), select egp. The FortiGate unit has the
second-highest preference for routes of this type.
To compare the NLRI learned from a protocol internal to
the originating AS, select i gp. The FortiGate unit has the
highest preference for routes learned through Internal
Gateway Protocol (IGP).
To match routes that were learned some other way (for
example, through redistribution), select i ncompl et e.
To disable the matching of BGP routes based on the
origin of the route, select none.
none
set - aggr egat or - as

Set the originating AS of an aggregated route. The value
specifies at which AS the aggregate route originated. The
range is from 1 to 65 535. The set - aggr egat or - i p
value must also be set to further identify the originating AS.
unset
set - aggr egat or - i p
<addr ess_i pv4>
This keyword is available when set - aggr egat or - as is
set.
Set the IP address of the BGP router that originated the
aggregate route. The value should be identical to the
FortiGate r out er - i d value (see r out er - i d
<addr ess_i pv4> on page 201).
0. 0. 0. 0
set - aspat h
 
 . . .
Modify the FortiGate AS_PATH attribute and add to it the
AS numbers of the AS path belonging to a BGP route. The
resulting path describes the autonomous systems along
the route to the destination specified by the NLRI. The
range is from 1 to 65 535.
The set - aspat h value is added to the beginning of the
AS_SEQUENCE segment of the AS_PATH attribute of
incoming routes, or to the end of the AS_SEQUENCE
segment of the AS_PATH attribute of outgoing routes.
Enclose all AS numbers in quotes if there are multiple
occurrences of the same id_integer. Otherwise the AS path
may be incomplete.
No default.
set - at omi c- aggr egat e
Enable or disable a warning to upstream routers through
the ATOMIC_AGGREGATE attribute that address
aggregation has occurred on an aggregate route. This
value does not have to be specified when an as- set
value is specified in the aggregate-address table (see
config aggregate-address on page 202).
di sabl e
router route-map
01-30005-0015-20070803 257
set - communi t y- del et e
<communi t y- l i st - name_st r >
Remove the COMMUNITY attributes from the BGP routes
identified in the specified community list. You must create
the community list first before it can be selected here (see
community-list on page 209).
Null.
set - communi t y <cr i t er i a> Set the COMMUNITY attribute of a BGP route.
Use decimal notation to set a specific COMMUNITY
attribute for the route. The value has the syntax AA: NN,
where AA represents an AS, and NN is the community
identifier. Delimit complex expressions with double-
quotation marks (for example, 123: 234 345: 456).
To make the route part of the Internet community, select
i nt er net .
To make the route part of the LOCAL_AS community,
select l ocal - AS.
To make the route part of the NO_ADVERTISE
community, select no- adver t i se.
To make the route part of the NO_EXPORT community,
select no- expor t .
No default.
set - communi t y- addi t i ve
This keyword is available when set - communi t y is set.
Enable or disable the appending of the set - communi t y
value to a BGP route.
di sabl e
set - dampeni ng- r eachabi l i t y-
hal f - l i f e
<mi nut es>
Set the dampening reachability half-life of a BGP route (in
minutes). The range is from 1 to 45.
0
set - dampeni ng- r euse
<r euse_i nt eger >
Set the value at which a dampened BGP route will be
reused. The range is from 1 to 20 000. If you set set -
dampeni ng- r euse, you must also set set - dampeni ng-
suppr ess and set - dampeni ng- max- suppr ess.
0
set - dampeni ng- suppr ess
<suppr ess_i nt eger >
Set the limit at which a BGP route may be suppressed. The
range is from 1 to 20 000. See also dampeni ng-
suppr ess <l i mi t _i nt eger > on page 200.
0
set - dampeni ng- max- suppr ess
<mi nut es>
Set maximum time (in minutes) that a BGP route can be
suppressed. The range is from 1 to 255. See also
dampeni ng- max- suppr ess- t i me in dampeni ng-
max- suppr ess- t i me <mi nut es_i nt eger > on
page 199.
0
set - dampeni ng-
unr eachabi l i t y- hal f - l i f e
<mi nut es>
Set the unreachability half-life of a BGP route (in minutes).
The range is from 1 to 45. See also dampeni ng-
unr eachabi l i t y- hal f - l i f e in dampeni ng-
unr eachabi l i t y- hal f - l i f e <mi nut es_i nt eger >
on page 200.
0
set - ext communi t y- r t
<AA: NN> <AA: NN> <AA: NN> . . .
Set the target extended community (in decimal notation) of
a BGP route. The COMMUNITY attribute value has the
syntax AA: NN, where AA represents an AS, and NN is the
community identifier.
No default.
set - ext communi t y- soo
<AA: NN> <AA: NN> <AA: NN> . . .
Set the site-of-origin extended community (in decimal
notation) of a BGP route. The COMMUNITY attribute value
has the syntax AA: NN, where AA represents an AS, and NN
is the community identifier.
No default.
set - l ocal - pr ef er ence
<pr ef er ence_i nt eger >
Set the LOCAL_PREF value of an IBGP route. The value
is advertised to IBGP peers. The range is from 0 to
4294 967 295. A higher number signifies a preferred route
among multiple routes to the same destination.
0
set - or i gi nat or - i d
<addr ess_i pv4>
Set the ORIGINATOR_ID attribute, which is equivalent to
the r out er - i d of the originator of the route in the local
AS. Route reflectors use this value to prevent routing
loops.
0. 0. 0. 0
258 01-30005-0015-20070803
route-map router
Example
This example shows how to create a route map named BGP_r t mp2. The route map contains two
rules. The first rule permits operations on routes that match the IP addresses in an access list named
acc_l i st 2. The second rule permits operations on routes according to a community list named
com_l i st 3.
edi t BGP_r t mp2
conf i g r ul e
edi t 1
set mat ch- i p- addr ess acc_l i st 2
next
edi t 2
set mat ch- communi t y com_l i st 3
end
end
Command history
Related topics
router access-list
router prefix-list
router rip
router aspath-list
router bgp
router key-chain
set - or i gi n {egp | i gp |
i ncompl et e | none}
Set the ORIGIN attribute of a local BGP route.
To set the value to the NLRI learned from the Exterior
Gateway Protocol (EGP), select egp.
To set the value to the NLRI learned from a protocol
internal to the originating AS, select i gp.
If you did not specify egp or i gp, select i ncompl et e.
To disable the ORIGIN attribute, select none.
none
set - wei ght
<wei ght _i nt eger >
Set the weight of a BGP route. A routes weight has the
most influence when two identical BGP routes are
compared. A higher number signifies a greater preference.
The range is from 0 to 2 147483 647.
0
FortiOS v2.80 New.
FortiOS v3.0 Added support for BGP.
router static
01-30005-0015-20070803 259
static
Use this command to add, edit, or delete static routes for IPv4 traffic. For IPv6 traffic, use the st at i c6
command. You add static routes to control traffic exiting the FortiGate unit. You configure routes by
specifying destination IP addresses and network masks and adding gateways for these destination
addresses. Gateways are the next-hop routers to which traffic that matches the destination addresses
in the route are forwarded.
You can adjust the administrative distance of a route to indicate preference when more than one route
to the same destination is available. The lower the administrative distance, the greater the preferability
of the route. If the routing table contains several entries that point to the same destination (the entries
may have different gateways or interface associations), the FortiGate unit compares the administrative
distances of those entries, selects the entries having the lowest distances, and installs them as routes
in the FortiGate forwarding table. Any ties are resolved by comparing the routes priority, with lowest
priority being preferred. As a result, the FortiGate forwarding table only contains routes having the
lowest distances to every possible destination.
After the FortiGate unit selects static routes for the forwarding table based on their administrative
distances, the sequence numbers of those routes determines routing priority. When two routes to the
same destination exist in the forwarding table, the FortiGate unit selects the route having the lowest
sequence number.
conf i g r out er st at i c
edi t <sequence_number >
set bl ackhol e {enabl e | di sabl e}
set devi ce 
set di st ance <di st ance>
set dst <dest i nat i on- addr ess_i pv4mask>
set dynami c- gat eway {enabl e | di sabl e}
set gat eway <gat eway- addr ess_i pv4>
set pr i or i t y 
end
Note: The dst and gat eway keywords are required when bl ackhol e is disabled. When bl ackhol e is
enabled, the dst keyword is required. All other keywords are optional.
edi t <sequence_number > Enter a sequence number for the static route. The sequence
number may influence routing priority in the FortiGate
forwarding table.
No default.
bl ackhol e {enabl e |
di sabl e}
Enable or disable the advertising of this route to neighbors
through dynamic routing protocols while dropping all packets
that match this route.
di sabl e
devi ce This keyword is available when bl ackhol e is set to di sabl e.
Enter the name of the FortiGate interface through which to
route traffic.
Null.
di st ance <di st ance> Enter the administrative distance for the route. The distance
value may influence route preference in the FortiGate routing
table. The range is an integer from 1-255. See also config
system interface distance <distance_integer> on page 259.
10
260 01-30005-0015-20070803
static router
Example
This example shows how to add a static route that has the sequence number 2.
conf i g r out er st at i c
edi t 2
set dev i nt er nal
set dst 192. 168. 22. 0 255. 255. 255. 0
set gat eway 192. 168. 22. 44
end
This example shows how to add a static route for a dynamic modem interface with a priority of 1.
conf i g r out e st at i c
edi t 3
set dev modem
set dynami c- gat eway enabl e
set dst 10. 0. 0. 7 255. 255. 255. 0
set pr i or i t y 1
end
Command history
Related topics
system interface
dst <dest i nat i on-
addr ess_i pv4mask>
Enter the destination IP address and network mask for this
route.
You can enter 0. 0. 0. 0 0. 0. 0. 0 to create a new static
default route.
0. 0. 0. 0
0. 0. 0. 0
dynami c- gat eway {enabl e |
di sabl e}
When enabled, dynamic-gateway hides the gateway variable
for a dynamic interface, such as a DHCP or PPPoE interface.
When the interface connects or disconnects, the corresponding
routing entries are updated to reflect the change.
di sabl e
gat eway <gat eway-
addr ess_i pv4>
This keyword is available when bl ackhol e is set to di sabl e.
Enter the IP address of the next-hop router to which traffic is
forwarded.
0. 0. 0. 0
pr i or i t y The administrative priority value is used to resolve ties in route
selection. In the case where both routes have the same priority,
the egress index for the routes will be used to determine the
selected route. The range is an integer from 0 to 4294967295.
Lower priority routes are preferred routes.
This field is only accessible through the CLI.
FortiOS v3.0 Added bl ackhol e attribute.
FortiOS v3.0 MR2 Added dynami c- gat eway attribute.
router static6
01-30005-0015-20070803 261
static6
Use this command to add, edit, or delete static routes for IPv6 traffic. You add static routes to specify
the destination of traffic exiting the FortiGate unit. You configure routes by adding destination IP
addresses and network masks and adding gateways for these destination addresses. The gateways
are the next-hop routers to which traffic that matches the destination addresses in the route are
forwarded.
conf i g r out er st at i c6
edi t <sequence_number >
set dst <dest i nat i on- addr ess_i pv6mask>
set gat eway <gat eway- addr ess_i pv6>
end
Example
This example shows how to add an IPv6 static route that has the sequence number 2.
conf i g r out er st at i c6
edi t 2
set dev i nt er nal
set dst 12AB: 0: 0: CD30: : / 60
set gat eway 12AB: 0: 0: CD30: 123: 4567: 89AB: CDEF
end
Command history
Related topics
system interface
Note: You can configure static routes for IPv6 traffic on FortiGate units that run in NAT/Route mode.
Note: The devi ce, dst , and gat eway keywords are required.
edi t <sequence_number > Enter a sequence number for the static route. No default.
devi ce The name of the FortiGate interface through which to route
traffic.
Null.
dst <dest i nat i on-
addr ess_i pv6mask>
The destination IPv6 address and netmask for this route.
You can enter : : / 0 to create a new static default route for
IPv6 traffic.
: : / 0
gat eway
<gat eway- addr ess_i pv6>
The IPv6 address of the next-hop router to which traffic is
forwarded.
: :
FortiOS v2.80 New.
262 01-30005-0015-20070803
static6 router
spamfilter
01-30005-0015-20070803 263
spamfilter
Use spamfilter commands to create a banned word list, configure filters based on email addresses, ip
addresses, and MIME headers, and to configure the FortiGuard-Antispam service.
bword
emailbwl
fortishield
ipbwl
iptrust
mheader
options
DNSBL
264 01-30005-0015-20070803
bword spamfilter
bword
Use this command to add or edit and configure options for the spam filter banned word list.
The FortiGate spam filters are applied in the following order:
For SMTP
1 IP address BWL check - Last hop IP
2 DNSBL & ORDBL check, IP address FortiGuard check, HELO DNS lookup
3 E-mail address BWL check
4 MIME headers check
5 IP address BWL check (for IPs extracted from Received headers)
6 Return e-mail DNS check, FortiGuard Antispam check (for IPs extracted from Received headers, and
URLs in email content)
7 Banned word check
For POP3 and IMAP
2 MIME headers check, IP BWL check
3 Return e-mail DNS check, FortiGuard Antispam check, DNSBL & ORDBL check
4 Banned word check
For SMTP, POP3, and IMAP
Control spam by blocking email messages containing specific words or patterns. If enabled in the
protection profile, the FortiGate unit searches for words or patterns in email messages. If matches are
found, values assigned to the words are totalled. If a user-defined threshold value is exceeded, the
message is marked as spam. If no match is found, the email message is passed along to the next filter.
Use Perl regular expressions or wildcards to add banned word patterns to the list. See Using Perl
regular expressions on page 47. Add one or more banned words to sort email containing those words
in the email subject, body, or both. Words can be marked as spam or clear. Banned words can be one
word or a phrase up to 127 characters long.
If a single word is entered, the FortiGate unit blocks all email that contain that word. If a phrase is
entered, the FortiGate unit blocks all email containing the exact phrase. To block any word in a phrase,
use Perl regular expressions.
Note: Perl regular expression patterns are case sensitive for Spam Filter banned words. To make a word or
phrase case insensitive, use the regular expression / i . For example, / bad l anguage/ i blocks all instances of
bad l anguage regardless of case. Wildcard patterns are not case sensitive.
spamfilter bword
01-30005-0015-20070803 265
conf i g spamf i l t er bwor d
edi t <banned_wor d_l i st _i nt eger >
set name <banned_wor d_l i st >
set comment <banned_wor d_l i st _comment >
conf i g ent r i es
edi t <banned_wor d_i nt eger >
set act i on {cl ear | spam}
set l anguage {f r ench | j apanese | kor ean | si mch | t hai | t r ach |
west er n}
set pat t er n <banned_wor d_st r >
set pat t er n- t ype {r egexp | wi l dcar d}
set scor e 
set wher e {al l | body | subj ect }
end
Command history
<banned_wor d_l i st _i nt eger > A unique number to identify the banned word list.
<banned_wor d_l i st > The name of the banned word list.
<banned_wor d_l i st _comment > The comment attached to the banned word list.
<banned_wor d_i nt eger > A unique number to identify the banned word or pattern.
act i on {cl ear | spam} Enter cl ear to allow the email. Enter spamto apply the spam
action configured in the protection profile.
spam
l anguage {f r ench |
j apanese | kor ean | si mch
| t hai | t r ach | west er n}
Enter the language character set used for the banned word or
phrase. Choose from French, J apanese, Korean, Simplified
Chinese, Thai, Traditional Chinese, or Western.
west er n
pat t er n <banned_wor d_st r > Enter the banned word or phrase pattern using regular
expressions or wildcards.
No default.
pat t er n- t ype {r egexp |
wi l dcar d}
Enter the pattern type for the banned word (pattern). Choose
from regular expressions or wildcard.
wi l dcar d
scor e A numerical weighting applied to the banned word. The score
values of all the matching words appearing in an email
message are added, and if the total is greater than the
spamwor dt hr eshol d value set in the protection profile, the
message is processed according to the spam action setting in
the protection profile. The score for a banned word is counted
once even if the word appears multiple times in an email
message.
10
st at us {enabl e | di sabl e} Enable or disable scanning email for each banned word. enabl e
wher e {al l | body |
subj ect }
Enter where in the email to search for the banned word or
phrase.
al l
FortiOS v2.80 New.
FortiOS v2.80 MR2 Added Fr ench and Thai variables to the l anguage keyword.
FortiOS v3.0 Added scor e variable. Added multiple-list capability for models 800 and above.
FortiOS v3.0 MR4 All models have the same CLI syntax now.
266 01-30005-0015-20070803
bword spamfilter
Related topics
spamfilter emailbwl
spamfilter fortishield
spamfilter ipbwl
spamfilter iptrust
spamfilter mheader
spamfilter options
spamfilter DNSBL
spamfilter emailbwl
01-30005-0015-20070803 267
emailbwl
Use this command to filter email based on the senders email address or address pattern.
For SMTP
7 Banned word check
For POP3 and IMAP
4 Banned word check
The FortiGate unit uses the email address list to filter incoming email. The FortiGate unit compares the
email address or domain of the sender to the list in sequence. If a match is found, the corresponding
action is taken. If no match is found, the email is passed on to the next spam filter.
The FortiGate unit can filter email from specific senders or all email from a domain (such as
example.net). Each email address can be marked as clear or spam.
Use Perl regular expressions or wildcards to add email address patterns to the list. See Using Perl
regular expressions on page 47.
conf i g spamf i l t er emai l bwl
edi t <emai l bwl _l i st _i nt eger >
set name <emai l bwl _l i st >
set comment <emai l bwl _l i st _comment >
conf i g ent r i es
edi t <emai l _addr ess_i nt eger >
set emai l - pat t er n <emai l _addr ess_st r >
end
268 01-30005-0015-20070803
emailbwl spamfilter
Command history
Related topics
spamfilter bword
spamfilter ipbwl
spamfilter iptrust
spamfilter mheader
spamfilter options
spamfilter DNSBL
<emai l bwl _l i st _i nt eger > A unique number to identify the email black/white list.
<emai l bwl _l i st > The name of the email black/white list.
<emai l bwl _l i st _comment > The comment attached to the email black/white list.
<emai l _addr ess_i nt eger > A unique number to identify the email pattern.
act i on {cl ear | spam} Enter cl ear to exempt the email from the rest of the spam
filters. Enter spamto apply the spam action configured in the
protection profile.
spam
emai l - pat t er n
<emai l _addr ess_st r >
Enter the email address pattern using wildcards or Perl regular
expressions.
pat t er n- t ype
{r egexp | wi l dcar d}
Enter the pattern-type for the email address. Choose from
wildcards or Perl regular expressions.
wi l dcar d
st at us {enabl e | di sabl e} Enable or disable scanning for each email address. enabl e
FortiOS v2.80 New.
FortiOS v3.0 Added multiple-list capability for models 800 and above.
FortiOS v3.0
MR4
All models have the same CLI syntax now.
01-30005-0015-20070803 269
fortishield
Use this command to configure the settings for the FortiGuard-Antispam Service.
For SMTP
7 Banned word check
For POP3 and IMAP
4 Banned word check
FortiGuard-Antispam Service is an antispam system from Fortinet that includes an IP address black
list, a URL black list, and spam filtering tools. The IP address black list contains IP addresses of email
servers known to be used to generate Spam. The URL black list contains found in Spam email.
FortiGuard-Antispam Service compiles the IP address and URL list from email captured by spam
probes located around the world. Spam probes are email addresses purposely configured to attract
spam and identify known spam sources to create the antispam IP address and URL list. FortiGuard-
Antispam Service combines IP address and URL checks with other spam filter techniques in a two-
pass process.
On the first pass, if spamf si p is selected in the protection profile, FortiGuard-Antispam Service
extracts the SMTP mail server source address and sends the IP address to a FortiGuard-Antispam
Service server to see if this IP address matches the list of known spammers. If spamf sur l is selected
in the protection profile, FortiGuard-Antispam Service checks the body of email messages to extract
any URL links. These URL links will be sent to a FortiGuard-Antispam Service server to see if any of
them is listed. Typically Spam messages contain URL links to advertisements (also called
spamvertizing).
If an IP address or URL match is found, FortiGuard-Antispam Service terminates the session. If
FortiGuard-Antispam Service does not find a match, the mail server sends the email to the recipient.
As each email is received, FortiGuard-Antispam Service performs the second antispam pass by
checking the header, subject, and body of the email for common spam content. If FortiGuard-Antispam
Service finds spam content, the email is tagged or dropped according to the configuration in the
firewall protection profile.
270 01-30005-0015-20070803
fortishield spamfilter
Both FortiGuard-Antispam Service antispam processes are completely automated and configured by
Fortinet. With constant monitoring and dynamic updates, FortiGuard-Antispam Service is always
current. Enable or disable FortiGuard-Antispam Service in a firewall protection profile.
conf i g spamf i l t er f or t i shi el d
set spam- submi t - f or ce {enabl e | di sabl e}
set spam- submi t - sr v <ur l _st r >
set spam- submi t - t xt 2ht m{enabl e | di sabl e}
end
Command history
Related topics
spamfilter bword
spamfilter emailbwl
spamfilter ipbwl
spamfilter iptrust
spamfilter mheader
spamfilter options
spamfilter DNSBL
spam- submi t - f or ce {enabl e
| di sabl e}
Enable or disable force insertion of a new mime entity for the
submission text.
enabl e
spam- submi t - sr v <ur l _st r > The host name of the FortiGuard-Antispam Service server.
The FortiGate unit comes preconfigured with the host name.
Use this command only to change the host name.
www. nospa
mmer . net
spam- submi t - t xt 2ht m
Enable or disable converting text email to HTML. enabl e
FortiOS v3.0 Some revisions and added por t and t i meout .
FortiOS v3.0 MR1 Restructured -- some commands were moved to syst emf or t i guar d and some new
commands were added.
spamfilter ipbwl
01-30005-0015-20070803 271
ipbwl
Use this command to filter email based on the IP or subnet address.
The FortiGate spam filters are generally applied in the following order:
For SMTP
7 Banned word check
For POP3 and IMAP
4 Banned word check
The FortiGate unit uses the IP address list to filter incoming email. The FortiGate unit compares the IP
address of the sender to the list in sequence. If a match is found, the corresponding protection profile
action is taken. If no match is found, the email is passed on to the next spam filter.
Enter an IP address and mask in one of two formats:
x.x.x.x/x.x.x.x, for example 192.168.10.23/255.255.255.0
x.x.x.x/x, for example 192.168.10.23/24
Configure the FortiGate unit to filter email from specific IP addresses. Mark each IP address as clear,
spam, or reject. Filter single IP addresses, or a range of addresses at the network level by configuring
an address and mask.
conf i g spamf i l t er i pbwl
edi t 
set name 
set comment 
conf i g ent r i es
edi t <addr ess_i pv4_i nt eger >
set act i on {cl ear | r ej ect | spam}
set i p/ subnet {<addr ess_i pv4> |
<addr ess_i pv4>/ <addr ess_i pv4mask>}
end
272 01-30005-0015-20070803
ipbwl spamfilter
Command history
Related topics
spamfilter bword
spamfilter emailbwl
spamfilter iptrust
spamfilter mheader
spamfilter options
spamfilter DNSBL
 A unique number to identify the IP black/white list.
 The name of the IP black/white list.
 The comment attached to the IP black/white list.
<addr ess_i pv4_i nt eger > A unique number to identify the address.
act i on
{cl ear | r ej ect | spam}
Enter cl ear to exempt the email from the rest of the spam
filters. Enter r ej ect to drop any current or incoming sessions.
Enter spamto apply the spam action configured in the
protection profile.
spam
i p/ subnet {<addr ess_i pv4>|
<addr ess_i pv4>/ <addr ess_i p
v4mask>}
The IP address to filter. A subnet mask in the format
192.168.10.23/255.255.255.0 or 192.168.10.23/24 can
also be included.
No default.
st at us {enabl e | di sabl e} Enable or disable scanning email for each IP address. enabl e
FortiOS v2.80 New.
spamfilter iptrust
01-30005-0015-20070803 273
iptrust
Use this command to add an entry to a list of trusted IP addresses.
If the FortiGate unit sits behind a companys Mail Transfer Units, it may be unnecessary to check email
IP addresses because they are internal and trusted. The only IP addresses that need to be checked
are those from outside of the company. In some cases, external IP addresses may be added to the list
if it is known that they are not sources of spam.
conf i g spamf i l t er i pt r ust
edi t 
set name 
set comment 
conf i g ent r i es
edi t <addr ess_i nt eger >
set i p/ subnet {<addr ess_i pv4> |
<addr ess_i pv4>/ <addr ess_i pv4mask>}
end
Command history
Related topics
spamfilter bword
spamfilter emailbwl
spamfilter ipbwl
spamfilter mheader
spamfilter options
spamfilter DNSBL
 A unique number to identify the IP trust list.
 The name of the IP trust list.
 The comment attached to the IP trust list.
<addr ess_i nt eger > A unique number to identify the address.
i p/ subnet {<addr ess_i pv4>|
<addr ess_i pv4>/ <addr ess_i p
v4mask>}
The trusted IP address. A subnet mask in the format
192.168.10.23/255.255.255.0 or 192.168.10.23/24 can
also be included.
No default
st at us
Enable or disable the IP address. enabl e
FortiOS v3.0 New.
274 01-30005-0015-20070803
mheader spamfilter
mheader
Use this command to configure email filtering based on the MIME header. MIME header settings are
configured with this command but MIME header filtering is enabled within each protection profile.
For SMTP
7 Banned word check
For POP3 and IMAP
4 Banned word check
The FortiGate unit compares the MIME header key-value pair of incoming email to the list pair in
sequence. If a match is found, the corresponding action is taken. If no match is found, the email is
passed on to the next spam filter.
MIME (Multipurpose Internet Mail Extensions) headers are added to email to describe content type
and content encoding, such as the type of text in the email body or the program that generated the
email. Some examples of MIME headers include:
X-mailer: outgluck
X-Distribution: bulk
Content_Type: text/html
Content_Type: image/jpg
The first part of the MIME header is called the header key, or just header. The second part is called the
value. Spammers often insert comments into header values or leave them blank. These malformed
headers can fool some spam and virus filters.
Use the MIME headers list to mark email from certain bulk mail programs or with certain types of
content that are common in spam messages. Mark the email as spam or clear for each header
configured.
Use Perl regular expressions or wildcards to add MIME header patterns to the list. See Using Perl
regular expressions on page 47.
Note: MIME header entries are case sensitive.
spamfilter mheader
01-30005-0015-20070803 275
conf i g spamf i l t er mheader
edi t <mi me_l i st _i nt eger >
set name <mi me_l i st >
set comment <mi me_l i st _comment >
conf i g ent r i es
edi t <mi me_i nt eger >
set f i el dbody <mi me_st r >
set f i el dname <mi me_st r >
end
end
Command history
Related topics
spamfilter bword
spamfilter ipbwl
spamfilter iptrust
spamfilter options
spamfilter DNSBL
<mi me_l i st _i nt eger > A unique number to identify the MIME header list.
<mi me_l i st > The name of the MIME header list.
<mi me_l i st _comment > The comment attached to the MIME header list.
<mi me_i nt eger > A unique number to identify the MIME header.
act i on {cl ear | spam} Enter cl ear to exempt the email from the rest of the spam
filters. Enter spamto apply the spam action configured in the
protection profile.
spam
f i el dbody <mi me_st r > Enter the MIME header (key, header field body) using wildcards
or Perl regular expressions.
No default.
f i el dname <mi me_st r > Enter the MIME header value (header field name) using
wildcards or Perl regular expressions. Do not include a trailing
colon.
No default.
pat t er n- t ype
Enter the pattern-type for the MIME header. Choose from
wildcards or Perl regular expressions.
wi l dcar d
st at us
Enable or disable scanning email headers for the MIME header
and header value defined in the f i el dbody and f i el dname
strings.
enabl e
FortiOS v2.80 New.
FortiOS v3.0
MR4
276 01-30005-0015-20070803
options spamfilter
options
Use this command to set the spamfilter dns query timeout.
conf i g spamf i l t er opt i ons
set dns- t i meout <t i meout _i nt eger >
end
Example
This example shows how to set the dns timeout.
conf i g spamf i l t er opt i ons
set dns- t i meout 15
end
Command history
Related topics
spamfilter bword
spamfilter emailbwl
spamfilter ipbwl
spamfilter iptrust
spamfilter mheader
spamfilter DNSBL
dns- t i meout
Set the DNS query timeout in the range 1 to 30 seconds. 7
FortiOS v3.0 New.
spamfilter DNSBL
01-30005-0015-20070803 277
DNSBL
Use this command to configure email filtering using DNS-based Blackhole List (DNSBL) or Open
Relay Database List (ORDBL) servers. DSNBL and ORDBL settings are configured with this
command but DSNBL and ORDBL filtering is enabled within each protection profile.
The FortiGate spam filters are generally applied in the following order:
For SMTP
7 Banned word check
For POP3 and IMAP
4 Banned word check
The FortiGate unit compares the IP address or domain name of the sender to any database lists
configured in sequence. If a match is found, the corresponding action is taken. If no match is found, the
email is passed on to the next spam filter.
Some spammers use unsecured third party SMTP servers to send unsolicited bulk email. Using
DNSBLs and ORDBLs is an effective way to tag or reject spam as it enters the network. These lists act
as domain name servers that match the domain of incoming email to a list of IP addresses known to
send spam or allow spam to pass through.
There are several free and subscription servers available that provide reliable access to continually
updated DNSBLs and ORDBLs. Please check with the service being used to confirm the correct
domain name for connecting to the server.
Note: Because the FortiGate unit uses the server domain name to connect to the DNSBL or ORDBL server, it
must be able to look up this name on the DNS server. For information on configuring DNS, see system dns on
page 317.
278 01-30005-0015-20070803
DNSBL spamfilter
conf i g spamf i l t er DNSBL
edi t <DNSBL_l i st _i nt eger >
set name <DNSBL_l i st >
set comment <DNSBL_l i st _comment >
conf i g ent r i es
edi t <ser ver _i nt eger >
set act i on {r ej ect | spam}
set ser ver <name_st r >
end
Command history
Related topics
spamfilter bword
spamfilter emailbwl
spamfilter ipbwl
spamfilter iptrust
spamfilter mheader
spamfilter options
system dns
<DNSBL_l i st _i nt eger > A unique number to identify the DNSBL list.
<DNSBL_l i st > The name of the DNSBL header list.
<DNSBL_l i st _comment > The comment attached to the DNSBL header list.
<ser ver _i nt eger > A unique number to identify the DNSBL server.
act i on {r ej ect | spam} Enter r ej ect to stop any further processing of the current
session and to drop an incoming connection at once. Enter
spamto identify email as spam.
spam
ser ver <name_st r > Enter the domain name of a Real-time Blackhole List server or
an Open Relay Database server.
No default.
st at us {enabl e | di sabl e} Enable or disable querying the Real-time Blackhole List server
or Open Relay Database server named in the server string.
enabl e
FortiOS v2.80 New.
FortiOS v3.0
MR2
Multiple-list feature is available for all models.
FortiOS v3.0
MR5
Changed RBL to DNSBL.
switch
01-30005-0015-20070803 279
switch
Use swi t ch commands to configure the FortiGate-224B unit switch functionality. You must enable
switch-view in system global to access these commands.
global
mac-address-table
port-quarantine client-profile
port-quarantine dynamic-policy
port-quarantine strict-policy
QoS
spanning-tree
switchport
280 01-30005-0015-20070803
global switch
global
Use this command to configure general switch settings.
conf i g swi t ch gl obal
set dot 1x- r adser ver
set dot 1x- r eAut hMax
set dot 1x- r eAut hPer i od <s>
set dot 1x- ser ver Ti meout
set dot 1x- suppTi meout <s>
set f or t i net - vi d <st ar t por t >
set i gmp- snoopi ng {enabl e | di sabl e}
set r emedy- DoS <r emedy>
set voi p- suppor t {enabl e | di sabl e}
conf i g i gmp- st at i c- f i l t er
edi t <mul t i cast - i d>
set mul t i cast - Addr 
set por t <por t >
set vl ani d <vl ani d>
end
conf i g swi t ch vl an
edi t vl ani d
set i gmp- snoopi ng {enabl e | di sabl e}
set mr out er <st r i ng>
set name <st r i ng>
end
dot 1x- r adser ver Enter RADIUS server name. No default.
dot 1x- r eAut hMax Enter the maximum number of incomplete authentication
attempts the unit permits from one client. After this number of
attempts, the client's status is unauthorized.
2
dot 1x- r eAut hPer i od <s> Enter the time period in seconds after which the client must
reauthenticate.
3600
dot 1x- ser ver Ti meout Enter the maximum time in seconds that the unit waits for a
response from the RADIUS server.
15
dot 1x- suppTi meout <s> Enter the maximum time in seconds that the unit waits for a
response from the client.
15
f or t i net - vi d <st ar t por t > Set the first reserved VLAN ID. There 25 reserved VLAN IDs.
The first is the quarantine VLAN. The other 24 are mapping
VLANs for the switch ports.
4020
i gmp- snoopi ng
Enable or disable IGMP snooping. di sabl e
r emedy- DoS <r emedy> Enter one of the following:
minirate - minimize the rate-limit
shutdown - shutdown the port
shut down
voi p- suppor t
Enable or disable Voice-Over-IP Trunk port support. di sabl e
switch global
01-30005-0015-20070803 281
Command history
igmp-static-filter keywords and variables
edi t <mul t i cast - i d> Enter the multicast entry ID. No default.
mul t i cast - Addr Enter the multicast address. No default.
por t <por t > Enter the port name: fe01-24, ge25-26. No default.
vl ani d <vl ani d> Enter the VLAN ID of the switch VLAN.
switch-vlan keywords and variables
edi t <vl ani d> Enter the VLAN ID of the switch VLAN.
i gmp- snoopi ng
Enable or disable IGMP snooping. di sabl e
mr out er <st r i ng> Enter the static multicast router. No default.
name <st r i ng> Enter a name for the VLAN. No default.
282 01-30005-0015-20070803
mac-address-table switch
mac-address-table
Use this command add entries to the MAC address table.
conf i g swi t ch macaddr ess- t abl e
set mac- agi ng- t i me <seconds>
conf i g st at i c
edi t 
set mac <macaddr >
set por t <por t >
end
end
Command history
edi t Enter an ID number for this entry. No default.
mac <macaddr > Enter the MAC address. No default.
mac- agi ng- t i me <seconds> Enter the duration in seconds after which this entry expires. 300
por t <por t > Enter the switch port number. No default.
vl ani d <vl ani d> Enter the switch VLAN ID. No default.
switch port-quarantine client-profile
01-30005-0015-20070803 283
port-quarantine client-profile
Use this command to define the operating system, antivirus and firewall software that the host check
accepts.
conf i g swi t ch por t - quar ant i ne cl i ent - pr of i l e
edi t <cl pr of i l e_name>
set av- l i st <vendor - l i st >
set f w- l i st <vendor - l i st >
set os- l i st <os- det ect - l i st >
end
Command history
Related topics
switch port-quarantine dynamic-policy
edi t <cl pr of i l e_name> Enter a name for this profile. No default.
av- l i st <vendor - l i st > Enable antivirus by vendor: FortiClient, Third, None. None
f w- l i st <vendor - l i st > Enable firewall by vendor: FortiClient, Third, None. None
os- l i st <os- det ect - l i st > Set accepted operating systems. One of more of:
2000 Win 2000
2000- SP1 2000 Service Pack1
ME Win ME
NT- SP6 NT Service Pack6
None Disable
WI N98 Win 98
XP Win XP
XP- SP1 XP Service Pack1
XP- SP2 XP Service Pack2
None
284 01-30005-0015-20070803
port-quarantine dynamic-policy switch
port-quarantine dynamic-policy
Use this command to configure the dynamic policy for clients.
conf i g swi t ch por t - quar ant i ne dynami c- pol i cy
edi t <dynpol i cy_name>
set cl i ent - pr of i l e <cl pr of i l e_name>
set quar ant i ne- event - av {enabl e | di sabl e}
set quar ant i ne- event - i ps {di sabl e | hi gh | i nf o | med | l ow}
set r emedy- mode <r emedy>
end
Note: If you enable FortiClient download, you must upload a FortiClient image using the execut e
r est or e f or t i cl i ent command.
Command history
Related topics
switch port-quarantine dynamic-policy
edi t <dynpol i cy_name> Enter a name for this profile. No default.
cl i ent - pr of i l e
<cl pr of i l e_name>
Enter the client profile to apply. No default.
quar ant i ne- event - av
Enable or disable quarantine for failed host check. di sabl e
quar ant i ne- event - i ps {di sabl e
| hi gh | i nf o | med | l ow}
Set minimum IPS detection level on which to enable
quarantine.
di sabl e
r emedy- mode <r emedy> Select one or more of the following remedies:
f c FortiClient download
host check Host check
none notice only
ur l Third party URL access
none
switch port-quarantine strict-policy
01-30005-0015-20070803 285
port-quarantine strict-policy
Use this command to configure the strict policy for clients.
conf i g swi t ch por t - quar ant i ne st r i ct - pol i cy
edi t <spr of i l e_name>
cl i ent - pr of i l e <cl pr of i l e_name>
quar ant i ne- act i on <q_act i on>
dyn- pr of i l e {scan | st r i ct | unf i l t er ed | web}
dyn- r emedy {none | secur e}
end
Command history
Related topics
switch port-quarantine client-profile
edi t <spr of i l e_name> Enter a name for this profile. No default.
cl i ent - pr of i l e
<cl pr of i l e_name>
Enter the client profile to apply. No default.
quar ant i ne- act i on <q_act i on> Select quarantine action, one of:
al l ow allow access anyway
deny do not allow further access
dyn apply dynamic profile
quar an quarantine the port
di sabl e
dyn- pr of i l e {scan | st r i ct |
unf i l t er ed | web}
Select protection profile to apply to the switch port. This
is available when quar ant i ne- act i on is dyn.
No default.
dyn- r emedy {none | secur e} Select secur e to automatically make the switch port a
secure port. Otherwise, select none. This is available
when quar ant i ne- act i on is dyn.
none
286 01-30005-0015-20070803
QoS switch
QoS
Use this command to configure QoS settings.
conf i g swi t ch QoS
set cos {enabl e | di sabl e}
set dscp {enabl e | di sabl e}
set cos- pr ef er r ed {enabl e | di sabl e}
set schedul i ng {st r i ct - pr i or i t y | wr r }
conf i g cos- map
edi t <cos- map- i d>
set cos <0- 7>
set queue- i d <0- 3>
end
conf i g dscp- map
edi t <dscp- map- i d>
set dscp <0- 63>
set queue- i d <0- 3>
end
end
Command history
cos {enabl e | di sabl e} Enable 802.1p CoS enabl e
dscp {enabl e | di sabl e} Enable IP DSCP enabl e
cos- pr ef er r ed
Enable to prefer 801.1q DSCP if both DSCP and CoS available. enabl e
schedul i ng
{st r i ct - pr i or i t y | wr r }
Egress queue scheduling.
Enter st r i ct - pr i or i t y for priority-based scheduling.
Enter wr r for 8-4-2-1 weighted round-robin scheduling.
wr r
cos-map keywords and variables
edi t <cos- map- i d> Enter the CoS map number to edit. No default.
cos <0- 7> Enter the class of service. Range 0 to 7 inclusive. 0
queue- i d Enter egress queue id. Range 1 to 4 inclusive. 1
dscp-map keywords and variables
edi t <dscp- map- i d> Enter the DSCP map number to edit.
dscp <0- 63> Enter the IP DiffServ CodePoint (dscp). Range 0 to 63 inclusive. 0
queue- i d <0- 3> Enter egress queue id. Range 1 to 4 inclusive. 1
switch spanning-tree
01-30005-0015-20070803 287
spanning-tree
Use this command to configure spanning-tree protocol on the FortiGate-224B unit.
st p- i nst ance commands are available only in PVST mode
cst commands are available only in STP and RSTP modes
conf i g swi t ch spanni ng- t r ee
mode <st p- mode>
st at us {enabl ed | di sabl ed}
conf i g st p- i nst ance
edi t vl ani d
set enabl e {enabl ed | di sabl ed}
set f or war d- del ay <f - del ay>
set hel l o- t i me <ht i me>
set maxage <age>
set pr i or i t y <pr i o>
next
end
conf i g cst
set f or war d- del ay <f - del ay>
set hel l o- t i me <ht i me>
set maxage <age>
end
Command history
edi t vl ani d For PVST+enter the VLAN ID for per-VLAN STP. No default.
enabl e
{enabl ed | di sabl ed}
Enable or disable STP for this VLAN (PVST+only). di sabl e
f or war d- del ay <f - del ay> Set forward delay in seconds. Range 4-30. 15
hel l o- t i me <ht i me> Set hello time in seconds. Range 1-10 2
maxage <age> Set maximum age. Range 6-40 20
mode <st p- mode> Set st p- mode to one of: st p, r st p, pvst + r st p
pr i or i t y <pr i o> Set <pr i o>to a value between 0 and 61440 divisible by 4096. 32768
st at us
Enable or disable status report. enabl e
288 01-30005-0015-20070803
switchport switch
switchport
Use this command to configure switch ports and per-VLAN spanning tree configuration on the
FortiGate-224B unit.
conf i g swi t ch swi t chpor t
edi t <por t _name>
set al l ow- al l {enabl e | di sabl e}
set al l ow- vl ans <name1 [ [ name2] . . [ namen] ] >
set def aul t - pr i or i t y <pr i o>
set dot 1xmac- st at us {enabl ed | di sabl ed}
set edgepor t {enabl ed | di sabl ed}
set f l owcont r ol {on | aut o}
set l i nkt ype <l t ype>
set mode <por t _mode>
set quar ant i ne- st at us {enabl e | di sabl e}
set r at el i mi t - i n 
set r at el i mi t - mode <r l _mode
set r at el i mi t - out <out - l i mi t >
set secur e- por t {enabl e | di sabl e}
set span- dest i nat i on {RX | TX | BOTH | DI SABLE}
set span- sour ce {RX | TX | BOTH | DI SABLE}
set speed- dupl ex <speed>
set st at us {shut down | enabl e}
set st r i ct - pol i cy <spol i cy>
conf i g pvst - conf i g
edi t <vl ani d>
set spanni ng- t r ee- pat hcost <cost _i nt >
set spanni ng- t r ee- pr i or i t y <sp_pr i o>
next
end
edi t <por t _name> The port name can be fe01-fe24, ge25-ge26 No default
al l ow- al l
Enable to allow all VLANs for trunk port.
This is available only if mode is Tr unk.
di sabl e
al l ow- vl ans
<name1 [ [ name2] . . [ namen] ] >
Specify VLANs to allow on this trunk. Enter names
separated by spaces. This is available only if mode is
Tr unk and al l ow- al l is di sabl e.
No default
def aul t - pr i or i t y <pr i o> Enter the default priority. The range is 0 through 7. 0
dot 1xmac- st at us
Enable for 802.1X on this port. di sabl e
edgepor t
Enable or disable spanning tree edge port. enabl e
f l owcont r ol {on | aut o} Set flow control to on (always on) or aut o. aut o
switch switchport
01-30005-0015-20070803 289
l i nkt ype <l t ype> Set l t ype to one of: aut o
aut o automatic type selection
p2p point-to-point LAN
shar ed shared LAN
mode <por t _mode> <port_mode>is one of: Access
Access The port provides access for clients
Tr unk The port is used as a trunk or part of an
aggregated trunk.
quar ant i ne- st at us
Enable or disable quarantine on this port. This is
available only when mode is Access.
di sabl e
r at el i mi t - i n Set inbound rate limit for QoS. Range 62Kb/s to
256Mb/s. Set to 0 for no limit.
0
r at el i mi t - mode <r l _mode Set <rl_mode>to one of al l , br oadcast ,
f l ooduni cast , mul t i cast . For QoS
br oadcast
r at el i mi t - out <out - l i mi t > Set outbound rate limit for QoS. Range 62Kb/s to
256Mb/s. Set to 0 for no limit.
0
secur e- por t
Enable to make this a secure port. This is available
only when mode is Access.
di sabl e
span- dest i nat i on
{RX | TX | BOTH | DI SABLE}
Optionally enable monitoring of transmit or receive
traffic or both on this port.
di sabl e
span- sour ce
{RX | TX | BOTH | DI SABLE}
Optionally enable monitoring of transmit or receive
traffic or both on this port.
di sabl e
speed- dupl ex <speed> The interface speed:
aut o, the default speed. The interface uses auto-
negotiation to determine the connection speed.
Change the speed only if the interface is connected
to a device that does not support auto-negotiation.
10f ul l , 10 Mbps, full duplex
10hal f , 10 Mbps, half duplex
Speed options vary for different models and interfaces.
Enter a space and a ? after the speed keyword to see
a list of speeds available for that model and interface.
Aut o
st at us {shut down | enabl e} Status is shut down or enabl ed. enabl e
st r i ct - pol i cy <spol i cy> Enter the strict policy to apply. No default
vl ani d <vl ani d> Enter the VLAN ID. The range is 1 to 4095. For
Access mode, this is the default VLAN ID. For
Trunk mode, this specifies the native VLAN.
No default
pvst-config keywords
edi t <vl ani d> Create or edit settings for VLAN <vlanid>
spanni ng- t r ee- pat hcost
<cost _i nt >
0
spanni ng- t r ee- pr i or i t y
<sp_pr i o>
Set sp_pr i o a value between 0 and 240 that is
divisible by 16.
128
290 01-30005-0015-20070803
switchport switch
Command history
Related topics
switch spanning-tree
system
01-30005-0015-20070803 291
system
Use syst emcommands to configure options related to the overall operation of the FortiGate unit,
including:
Administrative access
Automatic updating of antivirus and attack definitions
High availability (HA)
Network interfaces
Replacement messages
VLANs and virtual domains
accprofile
admin
alertemail
arp-table
auto-install
autoupdate clientoverride
autoupdate ips
autoupdate override
autoupdate push-update
autoupdate schedule
autoupdate tunneling
aux
bug-report
console
dhcp reserved-address
dhcp server
dns
fm
fortianalyzer, fortianalyzer2,
fortianalyzer3
fortiguard
fortiguard-log
global
gre-tunnel
ha
interface
ipv6-tunnel
mac-address-table
modem
npu
proxy-arp
replacemsg admin
replacemsg alertmail
replacemsg auth
replacemsg fortiguard-wf
replacemsg ftp
replacemsg hostcheck
replacemsg http
replacemsg im
replacemsg mail
replacemsg nntp
replacemsg spam
replacemsg sslvpn
session-helper
session-ttl
settings
snmp community
snmp sysinfo
tos-based-priority
vdom-link
wireless mac-filter
wireless settings
zone
292 01-30005-0015-20070803
accprofile system
accprofile
Use this command to add access profiles that control administrator access to FortiGate features. Each
FortiGate administrator account must include an access profile. You can create access profiles that
deny access, allow read only, or allow both read and write access to FortiGate features.
You cannot delete or modify the super_admin access profile, but you can use the super_admin profile
with more than one administrator account.
edi t <pr of i l e- name>
set <access- gr oup> <access- l evel >
end
edi t <pr of i l e- name> Enter a new profile name to create a new profile. Enter an
existing profile name to edit that profile.
No default.
<access- gr oup> Enter the feature group for which you are configuring access: No default.
admi ngr p administrator accounts and access profiles
aut hgr p user authentication, including local users,
RADIUS servers, LDAP servers, and user groups
avgr p antivirus configuration
f wgr p firewall configuration
includes customized permission options:
- addr ess
- ot her s (Virtual IP)
- pol i cy
- pr of i l e
- schedul e
- ser vi ce
i psgr p intrusion prevention system configuration
l oggr p log and report configuration including log settings,
viewing logs and alert email settings
execut e bat ch commands
mnt gr p maintenance commands: reset to factory defaults,
format log disk, reboot, restore and shutdown
net gr p interfaces, dhcp servers, zones
get syst emst at us
get syst emar p t abl e
r out egr p router configuration
spamgr p spamfilter configuration
sysgr p system configuration except accprofile, admin
and autoupdate
updat egr p FortiGuard antivirus and IPS updates, manual
and automatic
vpngr p VPN configuration
webgr p webfilter configuration
system accprofile
01-30005-0015-20070803 293
Examples
Use the following commands to add a new access profile named pol i cy_pr of i l e that allows read
and write access to firewall policies and that denies access to all other FortiGate features. An
administrator account with this access profile can view and edit firewall policies, but cannot view or
change any other FortiGate settings or features.
edi t pol i cy_pr of i l e
set f wgr p r ead- wr i t e
end
Use the following commands to add a new access profile named pol i cy_pr of i l e_cu that allows
customized read and write access to firewall policies and that denies access to all other FortiGate
features. An administrator account with this access profile can view and edit the selected custom
firewall permissions (addr ess, pol i cy, and schedul e), but cannot view or change any other
FortiGate settings or features.
edi t pol i cy_pr of i l e_cu
set f wgr p cust om
conf i g f wgr p- per mi ssi on
set addr ess r ead- wr i t e
set pol i cy r ead- wr i t e
set schedul e r ead- wr i t e
end
end
end
<access- l evel > Enter the level of administrator access to this feature: none
cust om configures custom access for f wgr p access
selections only
none no access
r ead read-only access
r ead- wr i t e read and write access
conf i g f wgr p- per mi ssi on configures customized firewall policy attribute
permissions for administrator.
addr ess Enter the level of administrator permissions to the
addr ess attribute of the firewall policy - none,
r ead, r ead- wr i t e.
ot her s Enter the level of administrator permissions to the
ot her s attribute of the firewall policy - none,
r ead, r ead- wr i t e. Refers to Virtual IP
attribute.
pol i cy Enter the level of administrator permissions to the
pol i cy attribute of the firewall policy - none,
pr of i l e Enter the level of administrator permissions to the
pr of i l e attribute of the firewall policy - none,
schedul e Enter the level of administrator permissions to the
schedul e attribute of the firewall policy - none,
ser vi ce Enter the level of administrator permissions to the
ser vi ce attribute of the firewall policy - none,
294 01-30005-0015-20070803
accprofile system
Command history
Related topics
system admin
FortiOS v2.80 New
FortiOS v3.0 MR1 Removed secgr p feature group.
FortiOS v3.0 MR2 Modifications for super _admi n profile and read-write access-level changes
(no write only).
FortiOS v3.0 MR4 Modifications for custom f wgr p firewall permissions, execut e bat ch
command control assigned to mnt gr p (Maintenance) access control group.
system admin
01-30005-0015-20070803 295
admin
Use this command to add, edit, and delete administrator accounts. Administrators can control what
data modules appear in the FortiGate unit system dashboard by using the conf i g syst emadmi n
command. Administrators must have read and write privileges to make dashboard GUI modifications.
Use the default admin account or an account with system configuration read and write privileges to
add new administrator accounts and control their permission levels. Each administrator account
except the default admin must include an access profile. You cannot delete the default super admin
account or change the access profile (super_admin).
You can authenticate administrators using a password stored on the FortiGate unit or you can use a
RADIUS server to perform authentication. When you use RADIUS authentication, you can
authenticate specific administrators or you can allow any account on the RADIUS server to access the
FortiGate unit as an administrator.
For detailed information about configuring administrators, see the System Administration chapter of
the FortiGate Administration Guide for your model.
edi t <name_st r >
set accpr of i l e <pr of i l e- name>
set comment s <comment s_st r i ng>
set passwor d <admi n_passwor d>
set peer - aut h <peer _aut h>
set peer - gr oup <peer - gr p>
set r adi us- aut h {enabl e | di sabl e}
set r adi us- gr oup <name>
set ssh- publ i c- key1 " <key- t ype> <key- val ue>"
set t r ust host 1 <addr ess_i pv4mask>
set vdom<vdom_name>
Note: For users with super _admi n access profile, you can reset the password in the CLI.
For a user ITAdmin with the access profile super_admin, to set the password to 123456:
conf i g sys admi n
edi t I TAdmi n
set passwor d 123456
end
For a user ITAdmin with the access profile super_admin, to reset the password from 123456 to the
default empty or null:
conf i g sys admi n
edi t I TAdmi n
unset passwor d 123456
end
If you type set password ? in the CLI, you will have to enter the new password and the old password in
order for the change to be effective. In this case, you will NOT be able to reset the password to empty or
null.
Note: You cannot change the management VDOM if any administrators are using RADIUS authentication.
296 01-30005-0015-20070803
admin system
conf i g dashboar d
edi t modul ei d <modul e_name>
set col umn <col umn_number >
set st at us <modul e_st at us>
end
end
end
accpr of i l e <pr of i l e- name> Enter the name of the access profile to assign to this
administrator account. Access profiles control
administrator access to FortiGate features.
No default.
comment s
<comment s_st r i ng>
Enter the last name, first name, email address, phone
number, mobile phone number, and pager number for
this administrator. Separate each attribute with a comma,
and enclose the string in double-quotes. The total length
of the string can be up to 128 characters. (Optional)
Null
passwor d <admi n_passwor d> Enter the password for this administrator. null
peer - aut h <peer _aut h> Set to enable peer certificate authentication (for HTTPS
admin access).
disable
peer - gr oup <peer - gr p> Name of peer group defined under conf i g user
peer gr p or user group defined under conf i g user
gr oup. Used for peer certificate authentication (for
HTTPS admin access).
null
r adi us- aut h
Enable or disable authentication of this administrator
using a RADIUS server.
di sabl e
r adi us- gr oup <name> Enter the administrator user group name, if you are using
RADIUS authentication. The user group must contain
only the RADIUS server.
This is only available when r adi us- aut h is enabled.
No default.
ssh- publ i c- key1
" <key- t ype> <key- val ue>"
You can specify the public keys of up to three SSH
clients. These clients are authenticated without being
asked for the administrator password. You must create
the public-private key pair in the SSH client application.
<key t ype>is ssh- dss for a DSA key or ssh- r sa for
an RSA key.
<key- val ue>is the public key string of the SSH client.
No default.
ssh- publ i c- key2
No default.
ssh- publ i c- key3
No default.
t r ust host 1
Any IP address or subnet address and netmask from
which the administrator can connect to the FortiGate unit.
If you want the administrator to be able to access the
FortiGate unit from any address, set the trusted hosts to
0.0.0.0 and the netmask to 0.0.0.0.
0.0.0.0 0.0.0.0
t r ust host 2
0.0.0.0 0.0.0.0
t r ust host 3
127.0.0.1
255.255.255.255
wi l dcar d
Enable wi l dcar d to allow all accounts on the RADIUS
server to log on to the FortiGate unit as administrator.
Disable wi l dcar d if you want to allow only the specified
administrator to log on.
This is available when r adi us- aut h is enabled.
di sabl e
system admin
01-30005-0015-20070803 297
Example
Use the following commands to add a new administrator account named new_admi n with the
password set to p8ssw0r d and that includes an access profile named pol i cy_pr of i l e. It is
accessible on the mai n_of f i ce VDOM. Administrators that log in to this account will have
administrator access to the FortiGate unit from any IP address.
edi t new_admi n
set passwor d p8ssw0r d
set accpr of i l e pol i cy_pr of i l e
set vdommai n_of f i ce
end
Command history
Related topics
system accprofile
vdom<vdom_name> Enter the name of the VDOM this account belongs to.
(Optional)
No default.
dashboar d Use conf i g dashboar d to configure the dashboard
GUI of the FortiGate unit. Administrator must have read
and write privileges to make changes.
modul ei d <modul e_name> Name of the dashboard module. Includes:
sysi nf o - System information
l i ci nf o - License information
j sconsol e - CLI console
sysr es - System resource information
sysop - Unit operation information
st at i st i cs - System operational statistics
col umn <col umn_number > Column in which the dashboard module appears. Values
1 or 2.
st at us <modul e_st at us> Status of module on dashboard. Values open or cl ose. open
FortiOS v3.0 Added emai l - addr ess, f i r st - name, l ast - name, mobi l e- number ,
pager - number , phone- number , r adi us- aut h, r adi us- gr oup,
wi l dcar d keywords.
FortiOS v3.0 MR1 Added i s- admi n and vdomkeywords.
FortiOS v3.0 MR3 Removed is-admin. Combined f i r st - name, l ast - name, emai l -
addr ess, phone- number , mobi l e- number ,pager - number and put in
keyword comment s (concatenated).
FortiOS v3.0 MR4 Added dashboard configuration keywords/variables, passwor d.
FortiOS v3.0 MR5 Added description of passwor d setup.
298 01-30005-0015-20070803
alertemail system
alertemail
Use this command to configure the FortiGate unit to access an SMTP server to send alert emails. This
command is global in scope.
To configure alertemail settings you must first configure the server, and enable authenticate. Then you
will be able to see all the keywords.
set aut hent i cat e {di sabl e | enabl e}
set passwor d <passwor d- st r >
set ser ver {<name- st r > | <addr ess- i pv4>}
set user name <user name- st r >
end
Examples
This example shows how to configure the FortiGate unit to send alert emails using the SMTP server
smt p. our company. com. The order of the keywords is important. The server must be defined first.
Then authentication needs to be next. The FortiGate unit uses the user name admi n2 and the
password h8r dt 0g3uss to connect to the SMTP server.
set ser ver smt p. our company. com
set aut hent i cat e enabl e
set passwor d h8r dt 0g3uss
set user name admi n2
end
Command history
Note: You must configure the server setting under conf i g syst emal er t emai l before the
commands under conf i g al er t emai l become accessible. For more information on conf i g
al er t emai l , see alertemail on page 63.
aut hent i cat e
Enable SMTP authentication if the FortiGate unit is
required to authenticate before using the SMTP server.
This variable is accessible only if ser ver is defined.
di sabl e
passwor d <passwor d- st r > Enter the password that the FortiGate unit needs to
access the SMTP server.
This variable is accessible only if aut hent i cat e is
enabled and ser ver is defined.
No
default.
ser ver
{<name- st r > | <addr ess- i pv4>}
Enter the name of the SMTP server, in the format
smt p. domai n. com, to which the FortiGate unit should
send email. Alternately, the IP address of the SMTP
server can be entered. The SMTP server can be located
on any network connected to the FortiGate unit.
No
default.
user name <user name- st r > Enter the user name for the SMTP server that the
FortiGate unit uses to send alert emails.
This variable is accessible only if aut hent i cat e is
enabled and ser ver is defined.
No
default.
FortiOS v3.0 Command created from al er t emai l command.
system arp-table
01-30005-0015-20070803 299
arp-table
Use this command to manually configure the ARP table entries on the FortiGate unit. You can only
access the arp-table values from the CLI.
This command is not available when VDOMs are enabled or in TP mode.
edi t <t abl e_val ue>
set i nt er f ace <por t >
set i p <addr ess- i pv4>
set mac <mac_addr ess>
next
end
Examples
This example adds an entry to the arp-table with a MAC address of 00-09-0f-69-00-7c and an IP
address of 172.20.120.161 on the port2 interface.
edi t 3
set i nt er f ace por t 2
set i p 172. 20. 120. 161
set mac 00:09:0f:69:00:7c
next
end
Command history
Related topics
get system arp
i nt er f ace <por t > Enter the interface this ARP entry is associated with No
def aul t
i p <addr ess- i pv4> Enter the IP address of the ARP entry. No
default.
mac <mac_addr ess> Enter the MAC address of the device entered in the table,
in the form of xx:xx:xx:xx:xx:xx.
No
default.
FortiOS v3.0 MR2 New command.
300 01-30005-0015-20070803
auto-install system
auto-install
Use this command to configure automatic installation of firmware and system configuration from a USB
disk when the FortiGate unit restarts. This command is available only on units that have a USB disk
connection.
If you set both configuration and firmware image update, both occur on the same reboot. The FortiGate
unit will not reload a firmware or configuration file that is already loaded.
FortiUSB and generic USB disks are supported. However, the USB disk must be formatted as a FAT16
drive. No other partition type is supported.
To format your USB Disk when its connected to your FortiGate unit, at the CLI prompt type exe usb-
di sk f or mat .
To format your USB disk when it is connected to a Windows system, at the command prompt type
f or mat <dr i ve_l et t er >: / FS: FAT / V: <dr i ve_l abel > where <drive_letter>is the letter of
the connected USB drive you want to format, and <drive_label>is the name you want to give the USB
disk volume for identification.
conf i g syst emaut o- i nst al l
set aut o- i nst al l - conf i g {di sabl e | enabl e}
set aut o- i nst al l - i mage {di sabl e | enabl e}
set def aul t - conf i g- f i l e
set def aul t - i mage- f i l e
end
Command history
Note: Formatting your USB disk will delete all information on your USB disk.
aut o- i nst al l - conf i g
Enable or disable automatic loading of the system
configuration from a USB disk on the next reboot.
di sabl e
aut o- i nst al l - i mage
Enable or disable automatic installation of firmware from a
USB disk on the next reboot.
di sabl e
def aul t - conf i g- f i l e Enter the name of the configuration file on the USB disk. syst em. conf
def aul t - i mage- f i l e Enter the name of the image file on the USB disk. i mage. out
FortiOS v3.0 New.
system autoupdate clientoverride
01-30005-0015-20070803 301
Use this command to receive updates on a different interface than the interface connected to the
FortiGuard Distribution Network (FDN). This command changes the source IP address of update
requests to the FortiGuard server, causing it to send the update to the modified source address.
This is useful if your company uses an internal updates server instead of FDN.
set addr ess <addr ess_i pv4>
end
Example
This example shows how to add a push update client IP address 192.0.2.45 which is on the port4
interface.
set addr ess 192. 0. 2. 45
end
Command history
Related topics
system autoupdate override
system autoupdate push-update
system autoupdate tunneling
execute update-av
addr ess <addr ess_i pv4> Enter the IP address or fully qualified domain name to receive
updates from.
No
default.
st at us {enabl e | di sabl e} Enable or disable the ability to override the FDN interface
address.
di sabl e
FortiOS v2.80 MR6 Added.
302 01-30005-0015-20070803
autoupdate ips system
autoupdate ips
IPS signature updates can include recommended settings. You can choose to use these new settings
or retain your existing ones. The default is enable - to accept recommended settings.
conf i g syst emaut oupdat e i ps
set accept - r ecommended- set t i ngs {di sabl e | enabl e}
end
Command history
Related topics
execute update-av
execute update-av
FortiOS v3.0 New.
01-30005-0015-20070803 303
autoupdate override
Use this command to specify an override FDS server.
If you cannot connect to the FortiGuard Distribution Network (FDN) or if your organization provides
updates using their own FortiGuard server, you can specify an override FDS server so that the
FortiGate unit connects to this server instead of the FDN.
set addr ess <FDS_addr ess>
end
Example
This example shows how to add and enable your companys own FDS override server with an IP
address of 192.168.87.45.
set addr ess 192. 168. 87. 45
end
Command history
Related topics
execute update-av
execute update-ips
Note: If you are unable to connect to the FDS server, even after specifying an override server, it is
possible your ISP is blocking the lower TCP and UDP ports for security reasons. Contact your ISP to
make sure they unblock TCP and UDP ports 1025 to 1035 to enable FDS server traffic.
addr ess <FDS_addr ess> Enter the IP address or fully qualified domain name of the
override FDS server.
No
default.
st at us {enabl e | di sabl e} Enable or disable overriding the default FDS server. di sabl e
304 01-30005-0015-20070803
autoupdate push-update system
Use this command to configure push updates. The FortiGuard Distribution Network (FDN) can push
updates to FortiGate units to provide the fastest possible response to critical situations such as
software exploits or viruses. You must register the FortiGate unit before it can receive push updates.
When you configure a FortiGate unit to allow push updates, the FortiGate unit sends a SETUP
message to the FDN. The next time an update is released, the FDN notifies all FortiGate units that are
configured for push updates that a new update is available. Within 60 seconds of receiving a push
notification, the FortiGate unit requests an update from the FDN.
Using this command you can enable or disable push updates. You can also configure push IP address
and port overrides. If the FDN must connect to the FortiGate unit through a NAT device, you must
configure port forwarding on the NAT device and add the port forwarding information to the push
update override configuration.
set addr ess <push_i pv4>
set over r i de {enabl e | di sabl e}
set por t <FDN_por t >
end
Example
This example shows how to enable push updates on port 9993.
set por t 9993
end
Command history
Note: You cannot receive push updates through a NAT device if the external IP address of the NAT device is
dynamic (for example, set using PPPoE or DHCP).
addr ess <push_i pv4> Enter the External IP address that the FDN connects to if you
want to enable push override. This is the address of the external
interface of your NAT device.
No
default.
over r i de
Enable an override of push updates. Select enable if the
FortiGate unit connects to the FDN through a NAT device.
di sabl e
por t <FDN_por t > Enter the port that the FDN connects to. This can be port 9443
by default or a different port that you assign.
9443
st at us {enabl e | di sabl e} Enable or disable FDN push updates. di sabl e
01-30005-0015-20070803 305
Related topics
execute update-av
execute update-ips
306 01-30005-0015-20070803
autoupdate schedule system
autoupdate schedule
Use this command to enable or disable scheduled FDN updates at regular intervals throughout the
day, once a day, or once a week.
To have your FortiGate unit to update at a random time during a particular hour, select a time that
includes 60 minutes as this will choose a random time during that hour for the scheduled update.
set day <day_of _week>
set f r equency {ever y | dai l y | weekl y}
set t i me <hh: mm>
end
Example
This example shows how to configure the FortiGate unit to check the FortiGuard Distribution Network
(FDN) for updates once a day at 3:00 in the morning.
set f r equency dai l y
set t i me 03: 00
end
This example is the same as the above example but it will check for updates once a day at sometime
between 3:00 and 4:00 in the morning.
set f r equency dai l y
day <day_of _week> Enter the day of the week on which to check for updates. Enter
one of: Sunday, Monday, Tuesday, Wednesday, Thur sday,
Fr i day, or Sat ur day.
This option is available only when f r equency is set to
weekl y.
Monday
f r equency
{ever y | daily | weekly}
Schedule the FortiGate unit to check for updates every hour,
once a day, or once a week. Set i nt er val to one of the
following:
ever y
Check for updates periodically. Set t i me to the time interval
to wait between updates.
dai l y
Check for updates once a day. Set t i me to the time of day to
check for updates.
weekl y
Check for updates once a week. Set day to the day of the
week to check for updates. Set t i me to the time of day to
check for updates.
ever y
st at us {enabl e | di sabl e} Enable or disable scheduled updates. di sabl e
t i me <hh: mm> Enter the time at which to check for updates.
hh can be 00 to 23
mmcan be 00-59, or 60 for random minute
01: 60
01-30005-0015-20070803 307
set t i me 03: 60
end
Command history
Related topics
system global
FortiOS v2.80 MR2 Can set t i me as well as day for weekly updates.
308 01-30005-0015-20070803
autoupdate tunneling system
Use this command to configure the FortiGate unit to use a proxy server to connect to the FortiGuard
Distribution Network (FDN). To use the proxy server you must enable tunneling and add the IP address
and port required to connect to the proxy server. If the proxy server requires authentication, add the
user name and password required to connect to the proxy server.
The FortiGate unit connects to the proxy server using the HTTP CONNECT method, as described in
RFC 2616. The FortiGate unit sends an HTTP CONNECT request to the proxy server (optionally with
authentication information) specifying the IP address and port required to connect to the FDN. The
proxy server establishes the connection to the FDN and passes information between the FortiGate unit
and the FDN.
The CONNECT method is used mostly for tunneling SSL traffic. Some proxy servers do not allow the
CONNECT to connect to any port; they restrict the allowed ports to the well known ports for HTTPS
and perhaps some other similar services. Because FortiGate autoupdates use HTTPS on port 8890 to
connect to the FDN, your proxy server might have to be configured to allow connections on this port.
set addr ess <pr oxy_addr ess>
set passwor d <passwor d>
set por t <pr oxy_por t >
set user name <name>
end
Example
This example shows how to enable tunneling where the FortiGate unit must connect to a proxy server
with IP address 67.35.50.34 that uses port 8080, requires the user id pr oxy_user and the password
pr oxy_pwd.
set addr ess 67. 35. 50. 34
set por t 8080
set user name pr oxy_user
set passwor d pr oxy_pwd
end
addr ess <pr oxy_addr ess> The IP address or fully qualified domain name of the proxy
server.
No
default.
passwor d <passwor d> If one is required, the password to connect to the proxy server. No
default.
por t <pr oxy_por t > The port required to connect to the proxy server. No
default.
st at us {enabl e | di sabl e} Enable or disable tunneling. di sabl e
user name <name> The user name used to connect to the proxy server. No
default.
01-30005-0015-20070803 309
Command history
Related topics
310 01-30005-0015-20070803
aux system
aux
Use this command to configure the AUX port on 1000A, 1000AFA2, and 3000A models for remote
console connection. You would use a modem to remotely connect to a console session on the
FortiGate unit.
The main difference between the standard console port and the aux port is that the standard console
port is for local serial console connections only - it cannot accept a modem connection to establish a
remote console connection. The aux console port allows you to establish a local connection, but it has
some limitations the standard console port does not have.
The AUX port will not display the booting messages that the standard console connection displays.
The AUX port will send out modem initializing strings (AT strings) that will appear on an aux console
session at the start.
conf i g syst emaux
set baudr at e <baudr at e>
<baudrate>is the speed of the connection. It can be set to one of the following: 9600, 19200, 38400,
57600, or 115200. The default is 9600.
Ensure devices on both ends of the connection are set to the same baudrate.
Command history
Related topics
system console
system bug-report
01-30005-0015-20070803 311
bug-report
Use this command to configure a custom email relay for sending problem reports to Fortinet customer
support.
set aut h {no | yes}
set mai l t o <emai l _addr ess>
set passwor d <passwor d>
set ser ver <ser ver name>
set user name <name>
set user name- smt p <account _name>
end
Example
This example shows how to configure the FortiGate unit to send bug report email from the
ourmailserver.com email server to bug_report@ourcompany.com using the User1 account. The email
server requires authentication.
set aut h yes
set mai l t o bug_r epor t @our company. com
set passwor d 123456
set ser ver our mai l ser ver . com
set user name Our Admi n
end
Command history
Related topics
system dns
aut h {no | yes} Enter yes if the SMTP server requires authentication or no if it
does not.
no
mai l t o <emai l _addr ess> The email address for bug reports. The default is
bug_r epor t @f or t i net vi r ussubmi t . com.
See
description.
passwor d <passwor d> If the SMTP server requires authentication, enter the
password required.
No default.
ser ver <ser ver name> The SMTP server to use for sending bug report email. The
default server is f or t i net vi r ussubmi t . com
See
description.
user name <name> A valid user name on the specified SMTP server. The default
user name is bug_r epor t .
See
description.
user name- smt p
<account _name>
A valid user name on the specified SMTP server. The default
user name is bug_r epor t .
See
description.
FortiOS v2.80 New.
FortiOS v2.80 MR2 Command changed from conf i g bug- r epor t to conf i g syst embug- r epor t .
FortiOS v3.0 Changed user name_smt p to user name- smt p.
FortiOS v3.0 MR1 Added mai l t o keyword.
312 01-30005-0015-20070803
console system
console
Use this command to set the console command mode, the number of lines displayed by the console,
and the baud rate.
Fortigate-1000A, 1000AFA2, and 3000A models have an AUX port that can be used for remote
console connections using a modem. This port on these models is configured with the system aux
command, see aux on page 310.
If this FortiGate unit is connected to a FortiManager unit running scripts, out put must be set to
st andar d for scripts to execute properly.
set baudr at e <speed>
set mode {bat ch | l i ne}
set out put {st andar d | mor e}
end
Example
This example shows how to set the baudrate to 38400 and set the output style to more so it will pause
after each screen full of information.
set baudr at e 38400
set out put mor e
end
Command history
Related topics
system aux
Note: If this FortiGate unit is connected to a FortiManager unit running scripts, out put must be set to
st andar d for scripts to execute properly.
baudr at e <speed> Set the console port baudrate. Select one of 9600, 19200,
38400, 57600, or 115200.
9600
mode {bat ch | l i ne} Set the console mode to line or batch. Used for autotesting only. l i ne
out put {st andar d | mor e} Set console output to standard (no pause) or more (pause after
each screen is full, resume on keypress).
This setting applies to showor get commands only.
standard
FortiOS v2.80 MR2 Command changed from conf i g consol e to conf i g syst emconsol e.
FortiOS v2.80 MR4 page keyword removed. out put keyword added.
system dhcp reserved-address
01-30005-0015-20070803 313
Use this command to reserve an IP address for a particular client identified by its device MAC address
and type of connection. The DHCP server then always assigns the reserved IP address to the client.
The number of reserved addresses that you can define ranges from 10 to 200 depending on the
FortiGate model.
edi t <name_st r >
set mac <addr ess_hex>
set t ype {r egul ar | i psec}
end
Example
Use the following command to add a reserved address named cl i ent _1 consisting of IP address
192.168.110.3 and MAC address 00:09:0F:0A:01:BC for a regular ethernet connection.
edi t cl i ent _1
set i p 192. 168. 110. 3
set mac 00: 09: 0F: 0A: 01: BC
set t ype r egul ar
end
Command history
Related topics
system dhcp server
system interface
Note: For this configuration to take effect, you must configure at least one DHCP server using the
conf i g syst emdhcp ser ver command, see dhcp server on page 314.
i p <addr ess_i pv4> Enter the IP address. 0.0.0.0
mac <addr ess_hex> Enter the MAC address. 00:00:00:00:00:00
t ype {r egul ar | i psec} Enter the type of the connection to be reserved:
regular
Client connecting through regular Ethernet
IPSec
Client connecting through IPSec VPN
r egul ar
314 01-30005-0015-20070803
dhcp server system
dhcp server
Use this command to add one or more DHCP servers for any FortiGate interface. As a DHCP server,
the interface dynamically assigns IP addresses to hosts on a network connected to the interface. On
FortiGate models numbered 100 and below, you can configure up to 8 DHCP servers. On all other
models, you can configure up to 32 DHCP servers.
You can add more than one DHCP server to a single interface to be able to provide DHCP services to
multiple networks. For more information on configuring your network and FortiGate unit to use multiple
DHCP servers on one interface, see the System DHCP chapter in the Administration Guide for your
FortiGate unit.
This command is available in NAT/Route mode only.
edi t <dhcpser ver name>
set conf l i ct ed- i p- t i meout <t i meout _i nt >
set def aul t - gat eway <addr ess_i pv4>
set dns- ser ver 1 <addr ess_i pv4>
set domai n <domai n- name_st r >
set enabl e {enabl e | di sabl e}
set end- i p <addr ess_i pv4>
set i nt er f ace 
set l ease- t i me <seconds>
set net mask <mask>
set opt i on1 <opt i on_code> [ <opt i on_hex>]
set ser ver - t ype <t ype>
set st ar t - i p <addr ess_i pv4>
set wi ns- ser ver 1 <wi ns_i pv4>
set wi ns- ser ver 2 <wi ns_i pv4>
conf i g excl ude- r ange
edi t <excl _r ange_num>
set end- i p <excl _i pv4>
set st ar t - i p <excl _i pv4>
end
end
conf l i ct ed- i p- t i meout
<t i meout _i nt >
Enter the time in seconds to wait before a conflicted IP
address is removed from the DHCP range. Valid range is
from 60 to 8640000 seconds (1 minute to 100 days).
1800
def aul t - gat eway <addr ess_i pv4> The IP address of the default gateway that the DHCP
server assigns to DHCP clients.
0.0.0.0
dns- ser ver 1 <addr ess_i pv4> The IP address of the first DNS server that the DHCP
0.0.0.0
dns- ser ver 2 <addr ess_i pv4> The IP address of the second DNS server that the DHCP
0.0.0.0
dns- ser ver 3 <addr ess_i pv4> The IP address of the third DNS server that the DHCP
0.0.0.0
system dhcp server
01-30005-0015-20070803 315
domai n <domai n- name_st r > Domain name suffix for the IP addresses that the DHCP
No
default.
enabl e {enabl e | di sabl e} Enable or disable this DHCP server. enable
end- i p <addr ess_i pv4> The ending IP for the range of IP addresses that this
DHCP server assigns to DHCP clients. The IP range is
defined by the st ar t - i p and the end- i p keywor ds
which should both be in the same subnet.
0.0.0.0
i nt er f ace The interface of the DHCP server. internal
l ease- t i me <seconds> The interval in seconds after which a DHCP client must
ask the DHCP server for new settings. The lease
duration must be between 300 and 864,000 seconds (10
days).
Set l ease- t i me to 0 for an unlimited lease time.
604,800
(7 days)
net mask <mask> The DHCP client netmask assigned by the DHCP server. 0.0.0.0
opt i on1 <opt i on_code>
[ <opt i on_hex>]
[ <opt i on_hex>]
[ <opt i on_hex>]
The first, second, and third custom DHCP options that
can be sent by the DHCP server. opt i on_code is the
DHCP option code in the range 1 to 255. opt i on_hex is
an even number of hexadecimal characters. For detailed
information about DHCP options, see RFC 2132, DHCP
Options and BOOTP Vendor Extensions.
No
default.
ser ver - t ype <t ype> Enter the type of client to serve:
regular
Client connects through regular Ethernet
IPSec
Client connects through IPSec VPN
r egul ar
st ar t - i p <addr ess_i pv4> The starting IP for the range of IP addresses that this
DHCP server assigns to DHCP clients. The IP range is
defined by the st ar t - i p and the end- i p keywords
which should both be in the same subnet.
0.0.0.0
wi ns- ser ver 1 <wi ns_i pv4> The IP address of the first WINS server that the DHCP
0.0.0.0
wi ns- ser ver 2 <wi ns_i pv4> The IP address of the second WINS server that the
DHCP server assigns to DHCP clients.
0.0.0.0
conf i g excl ude- r ange Configure a range of IP addresses to exclude from the
list of DHCP addresses that are available.
edi t <excl _r ange_num> Enter an integer ID for this exclusion range.
You can add up to 16 exclusion ranges of IP
addresses that the FortiGate DHCP server cannot
assign to DHCP clients
None
st ar t - i p <excl _i pv4> The start IP address in the exclusion range. The start IP
and end IP must be in the same subnet.
This keyword applies to excl ude- r ange.
0.0.0.0
end- i p <excl _i pv4> The end IP address in the exclusion range. The start IP
and end IP must be in the same subnet.
This keyword applies to excl ude- r ange.
0.0.0.0
316 01-30005-0015-20070803
dhcp server system
Example
Use the following command to add a DHCP server named new_dhcp. This DHCP server assigns IP
addresses to computers connected to the same network as the internal interface. The IP addresses
assigned are in the range 192.168.33.100 to 192.168.33.200. The example DHCP configuration also
sets the netmask, default gateway, two DNS server IP addresses, the lease time, and one WINS
server.
edi t new_dhcp
set st ar t - i p 192. 168. 33. 100
set end- i p 192. 168. 33. 200
set net mask 255. 255. 255. 0
set def aul t - gat eway 192. 168. 33. 1
set dns- ser ver 1 56. 34. 56. 96
set dns- ser ver 2 56. 34. 56. 99
set l ease- t i me 4000
set wi ns- ser ver 1 192. 168. 33. 45
end
The following command shows how to add an exclusion range from 192.168.20.22 to 192.168.20.25.
edi t new_dhcp
conf i g excl ude- r ange
edi t 1
set st ar t - i p 192. 168. 20. 22
set end- i p 192. 168. 20. 25
end
end
Command history
Related topics
system interface
FortiOS v2.80 MR2 Added domai n keyword.
Removed di scar d- age keyword.
FortiOS v2.80 MR8 def aul t - r out er changed to def aul t - gat eway
conf i g excl ude_r ange subcommand added (formerly
conf i g dhcp excl ude_r ange command)
FortiOS v3.0 Changed excl ude_r ange to excl ude- r ange.
FortiOS v3.0 MR1 Removed edi t keyword.
FortiOS v3.0 MR3 Added edi t keyword.
FortiOS v3.0 MR5 Added conf l i ct ed- i p- t i meout keyword.
system dns
01-30005-0015-20070803 317
dns
Use this command to set the DNS server addresses. Several FortiGate functions, including sending
email alerts and URL blocking, use DNS.
On models numbered 100 and lower, you can use this command to configure DNS forwarding. The
aut osvr and f wdi nt f keywords are only available on models numbered 100 and lower.
conf i g syst emdns
set aut osvr {enabl e | di sabl e}
set cache- not f ound- r esponses {enabl e | di sabl e}
set dns- cache- l i mi t 
set domai n <domai n_name>
set f wdi nt f 
set pr i mar y <dns_i pv4>
set secondar y <dns_i p4>
end
Example
This example shows how to set the primary FortiGate DNS server IP address to 45. 37. 121. 76 and
the secondary FortiGate DNS server IP address to 45. 37. 121. 77.
conf i g syst emdns
set pr i mar y 45. 37. 121. 76
set secondar y 45. 37. 121. 77
end
Command history
aut osvr
Enable or disable DNS forwarding.
Available only on models numbered 100 and lower in
NAT/Route mode.
disable
cache- not f ound- r esponses
Enable to cache NOTFOUND responses from the DNS
server.
disable
dns- cache- l i mi t

Set maximum number of entries in the DNS cache. 5000
domai n <domai n_name> Set the local domain name (optional). No default.
f wdi nt f Enter the interface to which forwarding applies:
i nt er nal
dmz
Available on models numbered 100 and lower in
NAT/Route mode.
No default.
pr i mar y <dns_i pv4> Enter the primary DNS server IP address. 65. 39. 139. 53
secondar y <dns_i p4> Enter the secondary DNS IP server address. 65. 39. 139. 63
FortiOS v2.80 MR2 Added aut osvr and f wdi nt f keywords for models numbered 100 and lower.
FortiOS v2.80 MR8 Added cache- not f ound- r esponses keyword.
318 01-30005-0015-20070803
fm system
fm
Use this command to configure the FortiGate unit for secure remote administration from a
FortiManager server. An IPSec VPN tunnel is invisibly pre-configured on the FortiGate unit.
conf i g syst emf m
set aut o- backup {enabl e | di sabl e}
set i d <f m_ser i al num>
set i p <f m_i pv4>
set i psec {enabl e | di sabl e}
set schedul ed- conf i g- r est or e {enabl e | di sabl e}
set vdom<vdom_name>
end
Example
This example shows how to set the FortiGate to be managed by a FortiManager Server:
conf i g syst emf m
set i d FMG4002803030000
set i p 192. 20. 120. 100
set i psec enabl e
end
Command history
aut o- backup
Enable automatic configuration backup on the FortiGate
unit via the FortiManager.
di sabl e
i d <f m_ser i al num> Enter the serial number of the FortiManager Server. No
def aul t .
i p <f m_i pv4> Enter the IP address of the FortiManager Server. No
def aul t .
i psec {enabl e | di sabl e} Enable to provide IPSEC on the connection between the
FortiGate unit and the connected FortiManager unit.
enabl e
schedul ed- conf i g- r est or e
Enable a scheduled restore of a configuration from
FortiManager to the FortiGate unit.
di sabl e
st at us {enabl e | di sabl e} Enable or disable secure communication for remote
administration with FortiManager.
Only one of Central Management or FortiManager can be
enabled at once, not both. To enable or disable Central
Management, see cent r al - mgmt - st at us in fortiguard
on page 322
di sabl e
vdom<vdom_name> Enter the name of the Virtual Domain r oot
FortiOS v2.80 MR2 Command moved from conf i g syst emgl obal and revised.
FortiOS v2.80 MR7 Added st at us keyword.
FortiOS v3.0 MR5 Added aut o- backup and schedul ed- conf i g- r est or e.
system fm
01-30005-0015-20070803 319
Related topics
system fortiguard
320 01-30005-0015-20070803
fortianalyzer, fortianalyzer2, fortianalyzer3 system
fortianalyzer, fortianalyzer2, fortianalyzer3
Use this command to configure the FortiGate unit to communicate with up to three FortiAnalyzer units.
Once communication with the FortiAnalyzer unit(s) has been configured, you then need to configure
logging to the FortiAnalyzer units using the l og f or t i anal yzer f i l t er and l og
f or t i anal yzer set t i ng command.
st at us must be set to enable for the other keywords to be visible.
The command syntax is the same for f or t i anal yzer , f or t i anal yzer 2 and f or t i anal yzer 3.
conf i g syst emf or t i anal yzer
set addr ess- mode {aut o- di scover y | st at i c}
set conn- t i meout <seconds>
set encr ypt {enabl e | di sabl e}
set f dp- devi ce <ser i al _number >
set l ocal i d 
set psksecr et <pr e- shar ed_key>
set ser ver <f or t i anal yzer _i pv4>
set ver - 1 {enabl e | di sabl e}
end
addr ess- mode {aut o-
di scover y | st at i c}
Select auto-discovery to have the FortiAnalyzer device
automatically detect the IP address of this FortiGate unit.
Select static if the FortiGate unit has a static IP address.
st at i c
conn- t i meout <seconds> Enter the number of seconds before the FortiAnalyzer
connection times out.
10
encr ypt {enabl e | di sabl e} Enable to use IPSec VPN tunnel for communication.
Disable to send data as plain text.
di sabl e
f dp- devi ce <ser i al _number > Enter the serial number of the Fortianalyzer unit to connect
to. This keyword is only available when address-mode is set
to auto-discovery.
No default
l ocal i d Enter an identifier up to 64 characters long. You must use
the same identifier on the FortiGate unit and the
FortiAnalyzer unit.
No default.
psksecr et <pr e- shar ed_key> Enter the pre-shared key for the IPSec VPN tunnel.
This is needed only if encr ypt is set to enabl e.
No default.
ser ver
<f or t i anal yzer _i pv4>
Enter the IP address of the FortiAnalyzer unit.
This keyword is only available when address-mode is set to
static.
0.0.0.0
st at us {enabl e | di sabl e} Enable or disable communication with the FortiAnalyzer
unit.
The other keywords are available only if st at us is set to
enabl e.
disable
ver - 1 {enabl e | di sabl e} Enable for FortiAnalyzer 1.0 unit, otherwise disable. disable
system fortianalyzer, fortianalyzer2, fortianalyzer3
01-30005-0015-20070803 321
Example
This example shows how to set the FortiGate unit to communicate with a FortiAnalyzer-400 unit that is
using a static IP address of 192.20.120.100:
conf i g syst emf or t i anal yzer
set addr ess- mode st at i c
set encr ypt enabl e
set l ocal i d f or t i anal yzer - 400
set psksecr et <128- char act er st r i ng>
set ser ver 192. 20. 120. 100
set ver - 1 di sabl e
set conn- t i meout 60
end
Command history
Related topics
FortiOS v3.0 New
FortiOS v3.0 MR1 Added addr ess- mode variable.
FortiOS v3.0 MR4 Added conn- t i meout variable.
322 01-30005-0015-20070803
fortiguard system
fortiguard
Use this command to configure the FortiGate unit to communicate with the FortiGuard Distribution
Network (FDN) and FortiGuard Services.
Normally your FortiGate unit will connect to the FortiGuard servers over its system management
interface. However, using the client override feature you can force your FortiGate unit to use specific IP
address and interface other than the default to connect to the FortiGuard servers.
If you have a FortiManager unit, you may use the server override feature to get your FortiGuard
updates from your FortiManager unit. It would download the updates, and then distribute them over
your local network. For more information see the FortiManager Administration Guide.
sr v- ovr d must be enabled for sr v- ovr d- l i st to be visible.
cent r al - mgmt - st at us must be enabled for other cent r al - mgmt - keywords to be visible.
set ant i spam- cache {enabl e | di sabl e}
set ant i spam- cache- mper cent <max_i nt eger >
set ant i spam- cache- t t l <t t l _i nt eger >
set ant i spam- st at us {enabl e | di sabl e}
set ant i spam- t i meout <t i meout _i nt eger >
set avquer y- cache {enabl e | di sabl e}
set avquer y- cache- mper cent <max_i nt eger >
set avquer y- cache- t t l <t t l _i nt eger >
set avquer y- st at us {enabl e | di sabl e}
set avquer y- t i meout <t i meout _i nt eger >
set cent r al - mgmt - aut o- backup {enabl e | di sabl e}
set cent r al - mgmt - schedul ed- conf i g- r est or e {enabl e | di sabl e}
set cent r al - mgmt - schedul ed- upgr ade {enabl e | di sabl e}
set cent r al - mgmt - st at us {enabl e | di sabl e}
set cl i ent - over r i dest at us {enabl e | di sabl e}
set host name <ur l _st r >
set i p <ovr d_i pv4>
set por t {53 | 8888}
set ser vi ce- account - i d 
set sr v- ovr d {enabl e | di sabl e}
conf i g sr v- ovr d- l i st
edi t <ser v_ovr d_num>
set i p <ovr d_i pv4>
end
set webf i l t er - cache {enabl e | di sabl e}
set webf i l t er - cache- t t l <t t l _i nt eger >
set webf i l t er - st at us {enabl e | di sabl e}
set webf i l t er - t i meout <t i meout _i nt eger >
end
Note: If you are unable to connect to the FDN server, it is possible your ISP is blocking the lower TCP
and UDP ports for security reasons. Contact your ISP to make sure they unblock TCP and UDP ports
1025 to 1035, to enable FDN server traffic.
system fortiguard
01-30005-0015-20070803 323
ant i spam- cache
Enable or disable caching the FortiGuard-Antispam Service IP
address and URL block list. Enabling the cache can improve
performance because the FortiGate unit does not need to access
the server each time the same IP address or URL appears as the
source of an email. The cache is configured to use 6% of the of
the FortiGate RAM. When the cache is full, the least recently
used IP address or URL is deleted.
enabl e
ant i spam- cache-
mper cent <max_i nt eger >
Enter the maximum memory to be used for antispam caching.
Valid numbers are from 1 to 15.
2
ant i spam- cache- t t l
<t t l _i nt eger >
Enter a time to live (ttl), in seconds, for cache entries. Enter a
value from 300 to 86400 seconds.
3600
ant i spam- st at us
Enable or disable scanning email using the FortiGuard-Antispam
Service.
di sabl e
ant i spam- t i meout
Set the FortiGuard-Antispam query timeout in the range 1 to 30
seconds.
7
avquer y- cache
(future) di sabl e
avquer y- cache- t t l
<t t l _i nt eger >
(future) 1800
avquer y- cache- mper cent
<max_i nt eger >
Enter the maximum memory to be used for AV query caching.
Valid numbers are from 1 to 15.
2
avquer y- st at us
(future) di sabl e
avquer y- t i meout
Enter the time limit in seconds for the Antivirus service query
timeout. Enter a value from 1 to 30.
cent r al - mgmt - aut o-
backup
Enable auto-backup of the configuration of the FortiGate unit via
Central Management.
This keyword is available only if cent r al - mgmt - st at us is set
to enabl e.
di sabl e
cent r al - mgmt -
schedul ed- conf i g-
r est or e
Enable a scheduled restore of a configuration from Central
Management to the FortiGate unit.
to enabl e.
di sabl e
cent r al - mgmt -
schedul ed- upgr ade
Enable the scheduled configuration backup via Central
Management on the FortiGate unit.
to enabl e.
di sabl e
cent r al - mgmt - st at us
Enable the Central Management feature on the FortiGate unit.
Only Central Management or FortiManager can be enabled at
one time. To enable or disable FortiManager in this capacity see
fm on page 318.
di sabl e
cl i ent - over r i de- i p
<ovr d_i pv4>
Enter the IP address on this FortiGate unit that will be used to
connect to the FortiGuard servers.
This keyword is available only if cl i ent - over r i dest at us is
set to enabl e.
No default
cl i ent - over r i de-
st at us
Enable or disable the client override IP address.
This feature forces your FortiGate unit to connect to the
FortiGuard servers using a specific IP address even if it has
more than one IP address available.
di sabl e
host name <ur l _st r > The host name of the FortiGuard server. The FortiGate unit
comes pre configured with the host name. Use this command
only to change the host name. This keyword is not available if
sr v- ovr d is set to enabl e.
ser vi ce.
f or t i guar d
. com
324 01-30005-0015-20070803
fortiguard system
Command history
Related topics
get system dashboard
system fm
i p <ovr d_i pv4> Enter the IP address of the override server.
This keyword is available only if sr v- ovr d is set to enabl e.
No default
por t {53 | 8888} The port to use for communications with the FortiGuard-Web
server.
53
ser vi ce- account - i d

The FortiGuard account ID. The Account ID is provided to
customer via Fortinet Customer Support when they activate their
account.
sr v- ovr d
Enable to override the FortiGuard server set in host name.
Specify override server(s) using the conf i g sr v- ovr d- l i st
subcommand.
di sabl e
conf i g sr v- ovr d- l i st Configure override server(s). This is available only if sr v- ovr d
is set to enabl e. The host name keyword is disabled.
edi t <ser v_ovr d_num> Enter the sequence number for the override server entry. The
lowest number is 0. You can create up to 20 entries.
This keyword is available only if sr v- ovr d is set to enabl e.
No default
webf i l t er - cache
Enable or disable caching of category ratings for accessed
URLs. This means that the FortiGate unit does not have to
contact the server each time a commonly requested URL is
accessed. The cache is configured to use 6% of the of the
FortiGate RAM. When the cache is full, the least recently
accessed URL is deleted.
enabl e
webf i l t er - cache- t t l
<t t l _i nt eger >
Enter the cache time to live (TTL) in seconds. Represents the
number of seconds to store URL ratings in the cache before
contacting the server again. Enter a value from 300 to 86400
seconds.
3600
webf i l t er - st at us
Enable or disable the Web category blocking service. di sabl e
webf i l t er - t i meout
Set the FortiGuard-Antispam query timeout in the range 1 to 30
seconds.
15
FortiOS v3.0 New.
FortiOS v3.0 MR2 Added get syst emf or t i guar d- ser vi ce st at us command reference.
FortiOS v3.0 MR5 Added ser vi ce- account - i d, cent r al - mgmt - st at us, cent r al - mgmt -
schedul ed- upgr ade, cent r al - mgmt - aut o- backup, and cent r al - mgmt -
schedul ed- conf i g- r est or e for Central Management feature.
system fortiguard-log
01-30005-0015-20070803 325
fortiguard-log
This command is only available on models numbered 100 and lower that support FortiGuard Log &
Analysis. The command configures support for an FortiGuard Log & Analysis server to remotely store
your FortiGate logs.
conf i g syst emf or t i guar d- l og
set cont r ol l er - i p 
set cont r ol l er - por t <por t _number >
set over r i de- cont r ol l er {enabl e | di sabl e}
end
Example
This example shows how to configure the FortiGuard Log & Analysis server at the IP address of
172.20.120.254 on port 1234.
conf i g syst emf or t i guar d- l og
set over r i de- cont r ol l er enabl e
set cont r ol l er - i p 172. 20. 120. 254
set cont r ol l er - por t 1234
end
Command history
cont r ol l er - i p Enter the controller IP address. 0.0.0.0
cont r ol l er - por t
<por t _number >
Enter the port number of the controller. Valid range is 0 to
65535.
0
over r i de- cont r ol l er
Enable or disable secure communication for remote
administration with FortiManager.
disable
326 01-30005-0015-20070803
global system
global
Use this command to configure global settings that affect various FortiGate systems and
configurations.
Runtime-only config mode was introduced in FortiOS v3.0 MR2. This mode allows you to try out
commands that may put your FortiGate unit into an unrecoverable state normally requiring a physical
reboot. In runtime-only config mode you can set a timeout so after a period of no input activity the
FortiGate unit will reboot with the last saved configuration. Another option in runtime-only configuration
mode is to manually save your configuration periodically to preserve your changes. For more
information see set cf g- save {aut omat i c | manual | r ever t }, set cf g- r ever t -
t i meout <seconds>, and execut e cf g r el oad.
set access- banner {enabl e | di sabl e}
set admi n- ht t ps- pki - r equi r ed {enabl e | di sabl e}
set admi n- mai nt ai ner {enabl e | di sabl e}
set admi n- por t <por t _number >
set admi n- scp {enabl e | di sabl e}
set admi n- ser ver - cer t { sel f - si gn | <cer t i f i cat e>}
set admi n- spor t <por t _number >
set admi n- ssh- por t <por t _number >
set admi n- ssh- v1 {enabl e | di sabl e}
set admi n- t el net - por t <por t _number >
set admi nt i meout <admi n_t i meout _mi nut es>
set al l ow- i nt er f ace- subnet - over l ap {enabl e | di sabl e}
set aut h- cer t <cer t - name>
set aut ht i meout <aut h_t i meout _mi nut es>
set aut h- ht t p- por t <ht t p_por t >
set aut h- ht t ps- por t <ht t ps_por t >
set aut h- keepal i ve {enabl e | di sabl e}
set aut h- secur e- ht t p {enabl e | di sabl e}
set aut h- t ype {f t p | ht t p | ht t ps | t el net |
set aut ht i meout <aut h_t i meout _mi nut es>
set av- f ai l open {of f | one- shot | pass}
set av- f ai l open- sessi on {enabl e | di sabl e}
set bat ch_cmdb {enabl e | di sabl e}
set CC- mode {enabl e | di sabl e}
set cf g- save {aut omat i c | manual | r ever t }
set cf g- r ever t - t i meout <seconds>
set check- r eset - r ange {enabl e | di sabl e}
set cl t - cer t - r eq {enabl e | di sabl e}
set conn- t r acki ng {enabl e | di sabl e}
set dai l y- r est ar t {enabl e | di sabl e}
set det ect i on- summar y {enabl e | di sabl e}
set dst {enabl e | di sabl e}
set f ai l t i me <f ai l ur es_count >
set f ds- st at i st i cs {enabl e | di sabl e}
set f or t i cl i ent - por t al - por t <por t >
set f sae- bur st - si ze <packet s>
set f sae- r at e- l i mi t ( pkt _sec)
set gui - l i nes- per - page <gui _l i nes>
set host name <uni t host name>
set ht t p- obf uscat e {header - onl y | modi f i ed | no- er r or | none}
system global
01-30005-0015-20070803 327
set i e6wor kar ound {enabl e | di sabl e}
set i nt er nal - swi t ch- mode {i nt er f ace | swi t ch}
set i nt er nal - swi t ch- speed {100f ul l | 100hal f | 10f ul l | 10hal f | aut o}
set i nt er val <deadgw_det ect _seconds>
set i p- sr c- por t - r ange <st ar t _por t >- <end_por t >
set l anguage <l anguage>
set l cdpi n <pi n_number >
set l cdpr ot ect i on {enabl e | di sabl e}
set l dapconnt i meout <l dapt i meout _msec>
set l ocal - anomal y {enabl e | di sabl e}
set l ogl ocal deny {enabl e | di sabl e}
set management - vdom<domai n>
set nt pser ver <nt p_ser ver _addr ess>
set nt psync {enabl e | di sabl e}
set opt i mi ze {ant i vi r us | t hr oughput }
set phase1- r ekey {enabl e | di sabl e}
set r adi us- por t <r adi us_por t >
set r ef r esh <r ef r esh_seconds>
set r emot eaut ht i meout <r emot eaut h_t i meout _mi ns>
set r eset - sessi onl ess- t cp {enabl e | di sabl e}
set r est ar t - t i me <hh: mm>
set show- backpl ane- i nt f {enabl e | di sabl e}
set ssl vpn- spor t <por t _number >
set st r ong- cr ypt o {enabl e | di sabl e}
set synci nt er val <nt psync_mi nut es>
set t cp- hal f cl ose- t i mer <seconds>
set t cp- hal f open- t i mer <seconds>
set t cp- opt i on {enabl e | enabl e}
set t i mezone <t i mezone_number >
set t os- based- pr i or i t y {l ow | medi um| hi gh}
set t p- mc- ski p- pol i cy {enabl e | di sabl e}
set udp- i dl e- t i mer <seconds>
set user - ser ver - cer t <cer t _name>
set vdom- admi n {enabl e | di sabl e}
set vi p- ar p- r ange {unl i mi t ed | r est r i ct ed}
end
access- banner
Enable to display the admin access disclaimer message.
For more information see system replacemsg admin on
page 368.
di sabl e
admi n- ht t ps- pki - r equi r ed
Enable to allow user to login by providing a valid certificate
if PKI is enabled for HTTPS administrative access. Default
setting di sabl e allows admin users to log in by providing
a valid certificate or password.
di sabl e
admi n- mai nt ai ner
Enabled by default. Disable for CC. enabl e
admi n- por t <por t _number > Enter the port to use for HTTP administrative access. 80
admi n- scp
Enable to allow system configuration download by the
secure copy (SCP) protocol.
di sabl e
admi n- ser ver - cer t {
sel f - si gn |
<cer t i f i cat e>}
Select the admin https server certificate to use. Choices
include self-sign, and the filename of any installed
certificates.
admi n- spor t <por t _number > Enter the port to use for HTTPS administrative access. 443
328 01-30005-0015-20070803
global system
admi n- ssh- por t
<por t _number >
Enter the port to use for SSH administrative access. 22
admi n- ssh- v1
Enable compatibility with SSH v1.0. di sabl e
admi n- t el net - por t
<por t _number >
Enter the port to use for telnet administrative access. 21
admi nt i meout
<admi n_t i meout _mi nut es>
Set the number of minutes before an idle administrator
times out. This controls the amount of inactive time before
the administrator must log in again. The maximum
admi nt i meout interval is 480 minutes (8 hours).
To improve security keep the idle timeout at the default
value of 5 minutes.
5
al l ow- i nt er f ace- subnet -
over l ap
Enable or disable limited support for interface and VLAN
subinterface IP address overlap. Use this command to
enable limited support for overlapping IP addresses in an
existing network configuration.
Caution: for advanced users only. Use this only for existing
network configurations that cannot be changed to eliminate
IP address overlapping.
di sabl e
aut h- cer t <cer t - name> Https server certificate for policy authentication.
Self-sign is the built in certificate but others will be listed as
you add them.
sel f - si gn
aut h- ht t p- por t
<ht t p_por t >
Set the HTTP authentication port. <ht t p_por t >can be
from 1 to 65535.
1000
aut h- ht t ps- por t
<ht t ps_por t >
Set the HTTPS authentication port. <ht t ps_por t >can be
from 1 to 65535.
1003
aut h- keepal i ve
Enable to extend the authentication time of the session
through periodic traffic to prevent an idle timeout.
di sabl e
aut h- secur e- ht t p
Enable to have ht t p user authentication redirected to
secure channel - ht t ps.
di sabl e
aut h- t ype
{f t p | ht t p | ht t ps |
t el net |
Set user authentication protocol support for firewall policy
authentication. User controls which protocols should
support the authentication challenge.
aut ht i meout
<aut h_t i meout _mi nut es>
Set the number of minutes before the firewall user
authentication time out requires the user to authenticate
again. The maximum aut ht i meout interval is 480
minutes (8 hours).
To improve security keep the authentication timeout at the
default value of 5 minutes.
5
av- f ai l open
{of f | one- shot | pass}
Set the action to take if there is an overload of the antivirus
system. Valid options are off, one-shot, and pass.
Enter of f to continue to handle and deliver connections
regardless of free memory.
Enter one- shot to bypass the antivirus system when
memory is low. You must enter of f or pass to restart
antivirus scanning.
Enter pass to bypass the antivirus system when memory
is low. Antivirus scanning resumes when the low memory
condition is resolved.
This applies to FortiGate models numbered 300A and
higher.
pass
av- f ai l open- sessi on
When enabl ed and a proxy for a protocol runs out of room
in its session table, that protocol goes into failopen mode
and enacts the action specified by av- f ai l open.
This applies to models numbered 300A and higher.
di sabl e
system global
01-30005-0015-20070803 329
bat ch_cmdb
Enable/disable batch mode run in cmdbsvr. enabl e
CC- mode
Enable Federal Information Processing Standards/
Common Criteria (FIPS/CC) mode. This is an enhanced
security mode that is valid only on FIPS/CC-certified
versions of the FortiGate firmware.
di sabl e
cf g- save {aut omat i c |
manual | r ever t }
Set the method for saving the FortiGate system
configuration and enter into runtime-only configuration
mode. Methods for saving the configuration are:
automatic - automatically save the configuration after
every change
manually - manually save the configuration using the
execute cfg save command
revert - manually save the current configuration and then
revert to that saved configuration after cf g- r ever t -
t i meout expires
Switching to automatic mode disconnects your session.
This command is used as part of the runtime-only
configuration mode.
See execute cfg reload for more information.
aut omat i c
cf g- r ever t - t i meout
<seconds>
Enter the timeout interval in seconds. If the administrator
makes a change and there is no activity for the timeout
period, the FortiGate unit will automatically revert to the last
saved configuration. Default timeout is 600 seconds.
This command is available only when cf g- save is set to
r ever t .
This command is part of the runtime-only configuration
mode. See execute cfg reload for more information.
600
check- r eset - r ange
Set whether RST out-of-window checking is performed. If
set to strict (enable), RST must fall between the last ACK
and the next send. If set to disable, no check is performed.
di sabl e
cl t - cer t - r eq
Enable to require a client certificate before an administrator
logs on to the web-based manager using HTTPS.
di sabl e
conn- t r acki ng
Enable to have the firewall drop SYN packets after the
connection has been established with the remote system.
This will help prevent a SYN flood and free up system
resources.
enabl e
dai l y- r est ar t
Enable to restart the FortiGate unit every day.
The time of the restart is controlled by r est ar t - t i me.
di sabl e
det ect i on- summar y
Disable to prohibit the collection of detection summary
statistics for FortiGuard.
enabl e
dst {enabl e | di sabl e} Enable or disable daylight saving time.
If you enable daylight saving time, the FortiGate unit
adjusts the system time when the time zone changes to
daylight saving time and back to standard time.
di sabl e
f ai l t i me <f ai l ur es_count > Set the dead gateway detection failover interval. Enter the
number of times that ping fails before the FortiGate unit
assumes that the gateway is no longer functioning. 0
disables dead gateway detection.
0
f ds- st at i st i cs
Enable or disable AV/IPS signature reporting.
If necessary, disable to avoid error messages on HA slave
units during an AV/IPS update.
enable
330 01-30005-0015-20070803
global system
f or t i cl i ent - por t al - por t
<por t >
Enter the HTTP port used to download a copy of
FortiClient. Valid numbers are from 0 to 65535.
On the FortiGate models 1000A, 3600A, and 5005FA2,
firewall policies can deny access for hosts that do not have
FortiClient Host Security software installed and operating.
For more information see the Firewall chapter and System
Maintenance chapter of the FortiGate Administration
Guide.
8009
f sae- bur st - si ze <packet s> Set the FSAE burst size in packets. 300
f sae- r at e- l i mi t ( pkt _sec) Set the FSAE message rate limit in packets per second. 100
gui - l i nes- per - page
<gui _l i nes>
Set the number of lines displayed on table lists. Range is
from 20 - 1000 lines per page.
50
host name <uni t host name> Enter a name for this FortiGate unit. A hostname can not
include spaces or punctuation other than hyphens and
underlines.
By default the hostname of your FortiGate unit is its serial
number which includes the model.
FortiGate
serial number.
ht t p- obf uscat e
{header - onl y | modi f i ed |
no- er r or | none}
Set the level at which the identity of the FortiGate web
server is hidden or obfuscated.
none does not hide the FortiGate web server identity
header - onl y hides the HTTP server banner
modi f i ed provides modified error responses
no- er r or suppresses error responses
none
i e6wor kar ound
Enable or disable the work around for a navigation bar
freeze issue caused by using the FortiGate web-based
manager with Internet Explorer 6.
di sabl e
i nt er nal - swi t ch- mode
{i nt er f ace | swi t ch}
Set the mode for the internal switch to be one of interface,
or switch.
The internal interface refers to a switch that has 4 network
connections. The switch option is regular operation with
one internal interface that all 4 network connections
access. The interface option splits the internal interface into
4 separate interfaces, one for each network connection.
The default value is switch.
swi t ch
i nt er nal - swi t ch- speed
{100f ul l | 100hal f |
10f ul l | 10hal f | aut o}
Set the speed of the switch used for the internal interface.
Choose one of:
100full
100half
10full
10half
auto
100 and 10 refer to 100M or 10M bandwidth. Full and half
refer to full or half duplex.
Default value is auto.
aut o
i nt er val
<deadgw_det ect _seconds>
Select the number of seconds between pings the FortiGate
unit sends to the target for dead gateway detection.
Selecting 0 disables dead gateway detection.
0
i p- sr c- por t - r ange
<st ar t _por t >- <end_por t >
Specify the IP source port range used for traffic originating
from the FortiGate unit. The valid range f or
<st ar t _por t >and <end_por t > is from 1 to 65535
inclusive.
You can use this setting to avoid problems with networks
that block some ports, such as FDN ports.
1024- 4999
system global
01-30005-0015-20070803 331
l anguage <l anguage> Set the web-based manager display language. You can set
<l anguage>to one of engl i sh, f r ench, j apanese,
kor ean, si mch (Simplified Chinese) or t r ach (Traditional
Chinese).
engl i sh
l cdpi n <pi n_number > Set the 6 digit PIN administrators must enter to use the
LCD panel.
This applies to FortiGate models numbered 300 to 3600.
123456
l cdpr ot ect i on
Enable or disable LCD panel PIN protection.
This applies to FortiGate models numbered 300 to 3600.
di sabl e
l dapconnt i meout
<l dapt i meout _msec>
LDAP connection timeout in msec 500
l ocal - anomal y
Enable to allow anomaly detection and protection on traffic
to the FortiGate unit.
Traffic to the FortiGate unit will consist mostly of
management services.
di sabl e
l ogl ocal deny
Enable or disable logging of failed connection attempts to
the FortiGate unit that use TCP/IP ports other than the
TCP/IP ports configured for management access (443 for
https, 22 for ssh, 23 for telnet, and 80 for HTTP by default).
di sabl e
management - vdom<domai n> Enter the name of the management virtual domain.
Management traffic such as FortiGuard traffic originates
from the management VDOM.
r oot
nt pser ver
<nt p_ser ver _addr ess>
Enter the domain name or IP address of a Network Time
Protocol (NTP) server.
132.246.168.1
48
nt psync
Enable or disable automatically updating the system date
and time by connecting to a Network Time Protocol (NTP)
server. For more information about NTP and to find the IP
address of an NTP server that you can use, see
http://www.ntp.org.
di sabl e
opt i mi ze
{ant i vi r us | t hr oughput }
Set firmware performance optimization to either
ant i vi r us or t hr oughput .
This is available on FortiGate models numbered 1000 and
higher.
No default
phase1- r ekey
Enable or disable automatic rekeying between IKE peers
before the phase 1 keylife expires.
enable
r adi us- por t <r adi us_por t > Change the default RADIUS port. The default port for
RADIUS traffic is 1812. If your RADIUS server is using port
1645 you can use the CLI to change the default RADIUS
port on your FortiGate unit.
1812
r ef r esh <r ef r esh_seconds> Set the Automatic Refresh Interval, in seconds, for the
web-based manager System Status Monitor.
Enter 0 for no automatic refresh.
0
r emot eaut ht i meout
<r emot eaut h_t i meout _mi ns>
Timeout for RADIUS/LDAP authentication in minutes.
To improve security keep the remote authentication timeout
at the default value of 5 minutes.
5
332 01-30005-0015-20070803
global system
r eset - sessi onl ess- t cp
Enabling this option may help resolve issues with a
problematic server, but it can make the FortiGate unit more
vulnerable to denial of service attacks. In most cases you
should leave r eset - sessi onl ess- t cp disabled.
The r eset - sessi onl ess- t cp command determines
what action the FortiGate unit performs if it receives a TCP
packet but cannot find a corresponding session in its
session table. This happens most often because the
session has timed out.
If you disable r eset - sessi onl ess- t cp, the FortiGate
unit silently drops the packet. The packet originator does
not know that the session has expired and might re-
transmit the packet several times before attempting to start
a new session. This is normal network operation.
If you enable r eset - sessi onl ess- t cp, the FortiGate
unit sends a RESET packet to the packet originator. The
packet originator ends the current session, but it can try to
establish a new session.
This is available in NAT/Route mode only.
disable
r est ar t - t i me <hh: mm> Enter daily restart time in hh:mm format (hours and
minutes).
This is available only when dai l y- r est ar t is enabled.
No default.
show- backpl ane- i nt f
Select enable to show FortiGate-5000 backplane interfaces
as port9 and port10. Once these backplanes are visible
they can be treated as regular physical interfaces.
This is only available on FortiGate-5000 models.
di sabl e
ssl vpn- spor t
<por t _number >
Enter the port to use for SSL-VPN access (HTTPS). 443
st r ong- cr ypt o
Enable to use strong encryption and only allow strong
ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH
admin access.
When strong encryption is enabled, HTTPS is supported by
the following web browsers: Netscape 7.2, Netscape 8.0,
Firefox, and Microsoft Internet Explorer 7.0(beta).
Note that Microsoft Internet Explorer 5.0 and 6.0 are not
supported in strong encryption.
di sabl e
swi t ch- vi ew
This is available on the FortiGate-224B unit only. Enable to
use switch security features. See switch on page 279.
synci nt er val
<nt psync_mi nut es>
Enter how often, in minutes, the FortiGate unit should
synchronize its time with the Network Time Protocol (NTP)
server. The synci nt er val number can be from 1 to 1440
minutes. Setting to 0 disables time synchronization.
0
t cp- hal f cl ose- t i mer
<seconds>
Enter how many seconds the FortiGate unit should wait to
close a session after one peer has sent a FIN packet but
the other has not responded. The valid range is from 1 to
86400 seconds.
120
t cp- hal f open- t i mer
<seconds>
Enter how many seconds the FortiGate unit should wait to
close a session after one peer has sent an open session
packet but the other has not responded. The valid range is
from 1 to 86400 seconds.
60
t cp- opt i on
{enabl e | enabl e}
Enable SACK, timestamp and MSS TCP options. For
normal operation t cp- opt i on should be enabled. Disable
for performance testing or in rare cases where it impairs
performance.
enabl e
t i mezone
<t i mezone_number >
The number corresponding to your time zone from 00 to 72.
Press ? to list time zones and their numbers. Choose the
time zone for the FortiGate unit from the list and enter the
correct number.
00
system global
01-30005-0015-20070803 333
Example
This example shows how to change to enable daylight savings time.
set dst enabl e
end
Command history
t os- based- pr i or i t y
{l ow | medi um| hi gh}
Select the default system-wide level of priority for Type of
Service (TOS). TOS determines the priority of traffic for
scheduling. Typically this is set on a per service type level.
See system tos-based-priority for more information.
The value of this keyword is the default setting for when
TOS is not configured on a per service level.
hi gh
t p- mc- ski p- pol i cy
Enable to allow skipping of the policy check, and to enable
multicast through.
di sabl e
udp- i dl e- t i mer <seconds> Enter the number of sections before an idle udp connection
times out. The valid range is from 1 to 86400 seconds.
180
user - ser ver - cer t
<cer t _name>
Select the certificate to use for https user authentication. sel f - si gn
vdom- admi n
Enable to configure multiple virtual domains. di sabl e
vi p- ar p- r ange
{unl i mi t ed | r est r i ct ed}
vi p- ar p- r ange controls the number of ARP packets the
FortiGate unit sends for a VIP range.
If r est r i ct ed, the FortiGate unit sends ARP packets for
only the first 8192 addresses in a VIP range.
If unl i mi t ed, the FortiGate unit sends ARP packets for
every address in the VIP range.
r est r i ct ed
FortiOS v2.80 New.
FortiOS v2.80 MR2 The i p- over l ap keyword was changed to al l ow- i nt er f ace- subnet - over l ap.
FortiOS v2.80 MR3 Added av_f ai l open and r eset _sessi onl ess_t cp keywords.
FortiOS v2.80 MR4 Moved dat e and t i me to execut e branch.
Added phase1- r ekey keyword.
FortiOS v2.80 MR6 Added i ps- open keyword.
FortiOS v3.0 Removed management - vdom, opmode keywords.
Added det ect i on- summar y, f sae- bur st - si ze, f sae- r at e- l i mi t ,
l dapconnt i meout , r emot eaut ht i meout .
Changed underscore to hyphen in av- f ai l open, conn- t r acki ng, i p_si gnat ur e,
l ocal _anomal y, mc- t t l - not change, r adi us- por t , r eset - sessi onl ess- t cp,
r est ar t - t i me, t cp- opt i on.
FortiOS v3.0 MR1 Removed ssl vpn- enabl e keyword.
Added av- f ai l open- sessi on, management - vdom, st r ong- cr ypt o keywords.
FortiOS v3.0 MR2 Added admi n- ssh- por t , admi n- t el net - por t , cf g- save, cf g- r ever t - t i meout ,
t cp- hal f open- t i mer , t os- based- pr i or i t y.
FortiOS v3.0 MR3 Added f ds- st at i st i cs and udp- i dl e- t i mer . Removed mc- t t l - not change,
bat ch_sl eep, and mul t i cast - f or war d.
FortiOS v3.0 MR4 Added access- banner , admi n- ser ver - cer t , admi n- t el net - por t ,
f or t i cl i ent - por t al - por t and t cp- hal f open- t i mer . Removed asymr out e.
FortiOS v3.0 MR5 Added admi n- ht t ps- pki - r equi r ed, admi n- mai nt ai ner , user - ser ver - cer t ,
i nt er nal - swi t ch- mode, i nt er nal - swi t ch- speed, f or t i cl i ent - por t al -
por t , t p- mc- ski p- pol i cy. Added aut h- cer t command.
334 01-30005-0015-20070803
global system
Related topics
execute cfg reload
execute cfg save
system gre-tunnel
01-30005-0015-20070803 335
gre-tunnel
Use this command to configure the tunnel for a GRE interface. A new interface of type tunnel with the
same name is created automatically as the local end of the tunnel. This command is available only in
NAT/Route mode.
To complete the configuration of a GRE tunnel, you need to:
configure a firewall policy to pass traffic from the local private network to the tunnel interface
configure a static route to the private network at the remote end of the tunnel using the GRE tunnel
device
optionally, define the IP addresses for each end of the tunnel to enable dynamic routing through the
tunnel or to enable pinging of each end of the tunnel for testing
set i nt er f ace 
set l ocal - gw <l ocal gw_I P>
set r emot e- gw <r emot egw_I P>
end
Example
In this example, a GRE tunnel is needed between two sites using FortiGate units. Users on the
192.168.2.0/24 network at Site A need to communicate with users on the 192.168.3.0/24 network at
Site B. At both sites the private network is connected to Port 2 of the FortiGate unit and the connection
to the Internet is through Port 1. At Site A, the public IP address is 172.16.67.199 and at Site B it is
172.16.68.198.
edi t <t unnel _name> Enter a name for the tunnel. No default.
i nt er f ace Enter the physical or VLAN interface that functions as the
local end of the tunnel.
l ocal - gw <l ocal gw_I P> Enter the IP address of the local gateway.
r emot e- gw <r emot egw_I P> Enter the IP address of the remote gateway.
Site A configuration Site B configuration
edi t t oSi t eB
set l ocal - gw 172. 16. 67. 199
set r emot e- gw 172. 16. 68. 198
end
edi t t oSi t eA
set l ocal - gw 172. 16. 68. 198
set r emot e- gw 172. 16. 67. 199
end
336 01-30005-0015-20070803
gre-tunnel system
Command history
Related topics
system interface
router static
edi t 1
set sr c- i nt f por t 2
set dst - i nt f t oSi t eB
set sr caddr al l
set dst addr al l
set act i on accept
set ser vi ce ANY
set schedul e al ways
next
edi t 1
set dst - i nt f t oSi t eA
set sr caddr al l
set dst addr al l
set act i on accept
set ser vi ce ANY
next
edi t 2
set sr c- i nt f t oSi t eB
set dst - i nt f por t 2
set sr caddr al l
set dst addr al l
set act i on accept
set ser vi ce ANY
end
edi t 2
set sr c- i nt f t oSi t eA
set sr caddr al l
set dst addr al l
set act i on accept
set ser vi ce ANY
end
edi t 1
set devi ce t oSi t eB
set dst 192. 168. 3. 0/ 24
end
edi t 1
set devi ce t oSi t eA
set dst 192. 168. 2. 0/ 24
end
(Optional)
edi t t oSi t eB
set i p 10. 0. 0. 1/ 32
set r emot e- i p 10. 0. 0. 2
end
(Optional)
edi t t oSi t eA
set i p 10. 0. 0. 2/ 32
set r emot e- i p 10. 0. 0. 1
end
FortiOS v3.0 New
system ha
01-30005-0015-20070803 337
ha
Use this command to enable and configure FortiGate high availability (HA) and virtual clustering. HA is
supported on FortiGate and FortiWiFi models numbered 60 and higher, except model 224B. Using the
conf i g syst emha command you must configure all cluster members with the same group name,
mode, and password before the FortiGate units can form a cluster.
Group name, mode, password, as well as priority and group ID are not synchronized between cluster
units. The primary unit synchronizes all other configuration settings, including the other HA
configuration settings.
When virtual domains are enabled for the FortiGate units to be operating in HA mode you are
configuring virtual clustering. Using virtual clustering you create two virtual clusters and add virtual
domains to each cluster. Configuring virtual clustering is very similar to configuring normal HA except
that in a virtual cluster, the HA mode can only be set to active-passive. As well additional options are
available for adding virtual domains to each virtual cluster and for setting the device priority for each
device in each virtual cluster.
For complete information about how to configure and operate FortiGate HA clusters and more detail
about the conf i g syst emha CLI command, see the FortiGate HA Overview, the FortiGate HA
Guide, and the Fortinet Knowledge Center.
conf i g syst emha
set ar ps <ar p_i nt eger >
set aut hent i cat i on {di sabl e | enabl e}
set encr ypt i on {di sabl e | enabl e}
set gr oup- i d 
set gr oupname <name_st r >
set hb- i nt er val 
set hb- l ost - t hr eshol d <t hr eshol d_i nt eger >
set hbdev <pr i or i t y_i nt eger > [ 
<pr i or i t y_i nt eger >] . . .
set hel o- hol ddown <hol ddown_i nt eger >
set l i nk- f ai l ed- si gnal {di sabl e | enabl e}
set l oad- bal ance- al l {di sabl e | enabl e}
set mode {a- a | a- p | st andal one}
set moni t or 
set over r i de {di sabl e | enabl e}
set passwor d <passwor d_st r >
set r out e- hol d <hol d_i nt eger >
set r out e- t t l <t t l _i nt eger >
Note: You cannot enable HA mode if one of the FortiGate unit interfaces uses DHCP or PPPoE to acquire an IP
address. If DHCP or PPPoE is configured, the conf i g ha mode keyword is not available.
338 01-30005-0015-20070803
ha system
set r out e- wai t <wai t _i nt eger >
set schedul e {hub | i p | i ppor t | l east connect i on | none | r andom
| r ound- r obi n | wei ght - r ound- r obi n}
set sessi on- pi ckup {di sabl e | enabl e}
set sync- conf i g {di sabl e | enabl e}
set uni nt er r upt abl e- upgr ade {di sabl e | enabl e}
set wei ght <pr i or i t y_i nt eger > <wei ght _i nt eger >
set vdom<vdom_names>
set vcl ust er 2 {di sabl e | enabl e}
end
conf i g secondar y- vcl ust er
set moni t or 
set over r i de {di sabl e | enabl e}
set vdom<vdom_names>
end
end
ar ps <ar p_i nt eger > Set the number of gratuitous ARP packets sent by the
primary unit. Gratuitous ARP packets are sent when a
cluster unit becomes a primary unit. The gratuitous ARP
packets configure connected networks to associate the
cluster virtual MAC address with the cluster IP address. The
range is 1 to 16 gratuitous ARP packets. Normally you would
not need to change the number of gratuitious ARP packets.
5
aut hent i cat i on {di sabl e
| enabl e}
Enable/disable HA heartbeat message authentication.
Enabling HA heartbeat message authentication prevents an
attacker from creating false HA heartbeat messages. False
HA heartbeat messages could affect the stability of the
cluster.
disable
encr ypt i on {di sabl e |
enabl e}
Enable/disable HA heartbeat message encryption. Enabling
HA heartbeat message encryption prevents an attacker from
sniffing HA packets to get HA cluster information.
disable
gr oup- i d The HA group ID. The group ID range is from 0 to 63. All
members of the HA cluster must have the same group ID.
Changing the Group ID changes the cluster virtual MAC
address.
0
gr oupname <name_st r > The HA group name. All cluster members must have the
same group name.
FGT- HA
hb- l ost - t hr eshol d
The lost heartbeat threshold, which is the number of
seconds to wait to receive a heartbeat packet from another
cluster unit before assuming that the cluster unit has failed.
The lost heartbeat threshold range is 1 to 60 seconds.
20
hb- i nt er val
The heartbeat interval, which is the time between sending
heartbeat packets. The heartbeat interval range is 1 to 20
(100*ms).
2
system ha
01-30005-0015-20070803 339
hbdev 
[ 
<pr i or i t y_i nt eger >] . . .
Select the FortiGate interfaces to be heartbeat interfaces
and set the heartbeat priority for each interface. The
heartbeat interface with the highest priority processes all
heartbeat traffic. If two or more heartbeat interfaces have the
same priority, the heartbeat interface that is highest in the
interface list processes all heartbeat traffic.
By default two interfaces are configured to be heartbeat
interfaces and the priority for both these interfaces is set to
50. The heartbeat interface priority range is 0 to 512. In most
cases you can maintain the default hbdev configuration as
long as you can connect the hbdev interfaces together.
On the FortiGate-50B only one interface is configured as the
default heartbeat interface.
To change the heartbeat interface configuration, enter a list
of interface name and priority pairs. Enter the name of each
interface followed by the priority. Use a space to separate
each interface name and priority pair. If you want to remove
an interface from the list, add an interface to the list, or
change a priority, you must retype the entire updated list.
Heartbeat communication must be enabled on at least one
interface. If heartbeat communication is interrupted the
cluster stops processing traffic.
You can select up to 8 heartbeat interfaces. This limit only
applies to FortiGate units with more than 8 physical
interfaces.
Depends on the
FortiGate model.
hel o- hol ddown
<hol ddown_i nt eger >
The hello state hold-down time, which is the number of
seconds that a cluster unit waits before changing from hello
state to work state. A cluster unit changes from hello state to
work state when it starts up.
The hello state hold-down time range is 5 to 300 seconds.
20
l i nk- f ai l ed- si gnal
Enable or disable shutting down all primary unit interfaces
(except for heartbeat device interfaces) for one second
when a link failover occurs. If all interfaces are not shut down
in this way, some switches may not detect that the primary
unit has become a subordinate unit and may keep sending
packets to the former primary unit.
disable
l oad- bal ance- al l
If mode is set to a- a, configure active-active HA to load
balance TCP sessions and sessions for firewall policies that
include protection profiles or to just load balance sessions
for firewall policies that include protection profiles. Enter
enabl e to load balance TCP sessions and sessions for
firewall policies that include protection profiles. Enter
di sabl e to load balance only sessions for firewall policies
that include protection profiles. UDP, ICMP, multicast, and
broadcast traffic is never load balanced and is always
processed by the primary unit. VoIP traffic, IM traffic, IPSec
VPN traffic, and SSL VPN traffic is also always processed
only by the primary unit.
disable
mode {a- a | a- p |
st andal one}
Set the HA mode.
Enter a- p to create an Active-Passive HA cluster, in which
the primary cluster unit is actively processing all connections
and the other cluster units are passively monitoring the
cluster status and remaining synchronized with the primary
cluster unit.
Enter a- a to create an Active-Active HA cluster, in which
each cluster unit is actively processing connections and
monitoring the status of the other FortiGate units.
All members of an HA cluster must be set to the same HA
mode.
Not available if a FortiGate interface mode is set to dhcp or
pppoe.
a- a mode is not available for virtual clusters.
st andal one
340 01-30005-0015-20070803
ha system
moni t or

Enable or disable port monitoring for link failure. Port
monitoring monitors FortiGate interfaces to verify that the
monitored interfaces are functioning properly and connected
to their networks.
Enter the names of the interfaces to monitor. Use a space to
separate each interface name. If you want to remove an
interface from the list or add an interface to the list you must
retype the list with the names changed as required.
You can monitor physical interfaces, redundant interfaces,
and 802.3ad aggregated interfaces but not VLAN
subinterfaces or IPSec VPN interfaces. You cannot monitor
interfaces that are 4-port switches. This includes the internal
interface of FortiGate models 50B, 60, 60M, 100A, 200A,
and FortiWiFi-60. This also includes the LAN interface of the
FortiGate-500A.
You can monitor up to 16 interfaces. This limit only applies to
FortiGate units with more than 16 physical interfaces.
No default
over r i de {di sabl e |
enabl e}
Enable or disable forcing the cluster to renegotiate and
select a new primary unit every time a cluster unit leaves or
joins a cluster, changes status within a cluster, or every time
the HA configuration of a cluster unit changes. The override
setting is not synchronized to all cluster units.
Enabling override makes cluster operation more predictable
but may lead to the cluster negotiating more often. During
cluster negotiation traffic may be interrupted.
For a virtual cluster configuration, override is enabled by
default for both virtual clusters when you enter set
vcl ust er 2 enabl e to enable virtual cluster 2. Usually you
would enable virtual cluster 2 and expect one cluster unit to
be the primary unit for virtual cluster 1 and the other cluster
unit to be the primary unit for virtual cluster 2. For this
distribution to occur over r i de must be enabled for both
virtual clusters. Otherwise you will need to restart the cluster
to force it to renegotiate. You can choose to disable
over r i de for both virtual clusters once the cluster is
operating.
di sabl e
enabl e when
you use set
vcl ust er 2
enabl e to
enable virtual
cluster 2.
passwor d <passwor d_st r > Enter a password for the HA cluster. The password must be
the same for all FortiGate units in the cluster. The maximum
password length is 15 characters.
If you have more than one FortiGate HA cluster on the same
network, each cluster must have a different password.
No default
pr i or i t y
Change the device priority of the cluster unit. Each cluster
unit can have a different device priority (the device priority is
not synchronized among cluster members). During HA
negotiation, the cluster unit with the highest device priority
becomes the primary unit. The device priority range is 0 to
255.
128
r out e- hol d
<hol d_i nt eger >
The time that the primary unit waits between sending routing
table updates to subordinate units in a cluster. The route
hold range is 0 to 3600 seconds.
10
r out e- t t l <t t l _i nt eger > The time to live for routes in a cluster unit routing table.
The time to live range is 0 to 3600 seconds.
The time to live controls how long routes remain active in a
cluster unit routing table after the cluster unit becomes a
primary unit. To maintain communication sessions after a
cluster unit becomes a primary unit, routes remain active in
the routing table for the route time to live while the new
primary unit acquires new routes.
10
system ha
01-30005-0015-20070803 341
r out e- wai t
<wai t _i nt eger >
The time the primary unit waits after receiving a routing table
update before sending the update to the subordinate units in
the cluster.
For quick routing table updates to occur, set r out e- wai t to
a relatively short time so that the primary unit does not hold
routing table changes for too long before updating the
subordinate units.
The r out e- wai t range is 0 to 3600 seconds.
0
schedul e {hub | i p
| i ppor t
| l east connect i on |
none | r andom
| r ound- r obi n
| wei ght - r ound- r obi n}
Active-active load balancing schedule.
hub: load balancing if the cluster interfaces are connected to
hubs. Traffic is distributed to cluster units based on the
Source IP and Destination IP of the packet.
i p: load balancing according to IP address. If the cluster
units are connected using switches, use i p to distribute
traffic to units in a cluster based on the Source IP and
Destination IP of the packet.
i ppor t : load balancing according to IP address and port. If
the cluster units are connected using switches, use i ppor t
to distribute traffic to units in a cluster based on the source
IP, source port, destination IP, and destination port of the
packet.
l east connect i on: least connection load balancing. If the
cluster units are connected using switches, use
l east connect i on to distribute traffic to the cluster unit
currently processing the fewest connections.
none: no load balancing. Use none when the cluster
interfaces are connected to load balancing switches.
r andom: random load balancing. If the cluster units are
connected using switches, use r andomto randomly
distribute traffic to cluster units.
r ound- r obi n: round robin load balancing. If the cluster
units are connected using switches, use r ound- r obi n to
distribute traffic to the next available cluster unit.
wei ght - r ound- r obi n: weighted round robin load
balancing. Similar to round robin, but you can use the
wei ght keyword to assign weighted values to each of the
units in a cluster based on their capacity and on how many
connections they are currently processing. For example, the
primary unit should have a lower weighted value because it
handles scheduling and forwards traffic. Weighted round
robin distributes traffic more evenly because units that are
not processing traffic are more likely to receive new
connections than units that are very busy. You can optionally
use the wei ght keyword to set a weighting for each cluster
unit.
r ound- r obi n
sessi on- pi ckup {di sabl e
| enabl e}
Enable or disable session pickup. Enable
sessi on- pi ckup so that if the primary unit fails, all
sessions are picked up by the new primary unit.
If you enable session pickup the subordinate units maintain
session tables that match the primary unit session table. If
the primary unit fails, the new primary unit can maintain all
active communication sessions.
If you do not enable session pickup the subordinate units do
not maintain session tables. If the primary unit fails all
sessions are interrupted and must be restarted when the
new primary unit is operating.
You must enable session pickup for effective failover
protection. If you do not require effective failover protection,
leaving session pickup disabled may reduce HA CPU usage
and reduce HA heartbeat network bandwidth usage.
di sabl e
sync- conf i g {di sabl e |
enabl e}
Enable or disable automatic synchronization of primary unit
configuration changes to all cluster units.
enabl e
342 01-30005-0015-20070803
ha system
uni nt er r upt abl e- upgr ade
Enable or disable upgrading the cluster without interrupting
cluster traffic processing.
If uni nt er r upt abl e- upgr ade is enabled, traffic
processing is not interrupted during a normal firmware
upgrade. This process can take some time and may reduce
the capacity of the cluster for a short time.
If uni nt er r upt abl e- upgr ade is disabled, traffic
processing is interrupted during a normal firmware upgrade
(similar to upgrading the firmware operating on a standalone
FortiGate unit).
enabl e
wei ght
<wei ght _i nt eger >
The weighted round robin load balancing weight to assign to
each cluster unit. When you set schedul e to wei ght -
r ound- r obi n you can use the wei ght keyword to set the
weight of each cluster unit. The weight is set according to
the priority of the unit in the cluster. A FortiGate HA cluster
can contain up to 32 FortiGate units so you can set up to 32
weights.
The default weight of 1 1 1 1 means that the first four units
in the cluster all have the same weight of 1.
pr i or i t y_i nt eger is a number from 0 to 31 that identifies
the priority of the cluster unit.
wei ght - i nt eger is a number between 0 and 31 that is the
weight assigned to the clustet units according to their priority
in the cluster. Increase the weight to increase the number of
connections processed by the cluster unit with that priority.
wei ght is available when mode is set to a- a and
schedul e is set to wei ght - r ound- r obi n.
1 1 1 1
vdom<vdom_names> Add virtual domains to virtual cluster 1 or virtual cluster 2.
Virtual cluster 2 is also called the secondary virtual cluster.
In the conf i g syst emha shell, use set vdomto add
virtual domains to virtual cluster 1. Adding a virtual domain
to virtual cluster 1 removes that virtual domain from virtual
cluster 2.
In the conf i g secondar y- vcl ust er shell, use set
vdomto add virtual domains to virtual cluster 2. Adding a
virtual domain to virtual cluster 2 removes it from virtual
cluster 1.
You can use vdomto add virtual domains to a virtual cluster
in any combination. You can add virtual domains one at a
time or you can add multiple virtual domains at a time. For
example, entering set vdomdomai n_1 followed by
set vdomdomai n_2 has the same result as entering
set vdomdomai n_1 domai n_2.
All virtual
domains are
added to virtual
cluster 1.
vcl ust er 2 {di sabl e |
enabl e}
Enable or disable virtual cluster 2.
In the global virtual domain configuration, virtual cluster 2 is
enabled by default. When virtual cluster 2 is enabled you
can use conf i g secondar y- cl ust er to configure virtual
cluster 2.
Disable virtual cluster 2 to move all virtual domains from
virtual cluster 2 back to virtual cluster 1.
Enabling virtual cluster 2 enables over r i de for virtual
cluster 1 and virtual cluster 2.
di sabl e
conf i g secondar y-
vcl ust er
Configure virtual cluster 2. You must enable vcl ust er 2.
Then you can use conf i g secondar y- vcl ust er to set
moni t or , over r i de, pr i or i t y, and vdomfor virtual
cluster 2.
Same defaults as
virtual cluster 1
except that the
default value for
over r i de is
enabl e.
system ha
01-30005-0015-20070803 343
Examples
This example shows how to configure a FortiGate unit for active-active HA operation. The example
shows how to set up a basic HA configuration by setting the HA mode, changing the gr oupname,
and entering a passwor d. You would enter the exact same commands on every FortiGate unit in the
cluster. In the example virtual domains are not enabled.
conf i g syst emha
set mode a- a
set gr oupname myname
set passwor d HApass
end
The following example shows how to configure a FortiGate unit with virtual domains enabled for active-
passive HA operation. In the example, the FortiGate unit is configured with three virtual domains
(domain_1, domain_2, and domain_3) in addition to the root virtual domain. The example shows how
to set up a basic HA configuration similar to the previous example; except that the HA mode can only
be set to a- p. In addition, the example shows how to enable vcl ust er 2 and how to add the virtual
domains domain_2 and domain_3 to vcl ust er 2.
conf i g gl obal
conf i g syst emha
set mode a- p
set gr oupname myname
set passwor d HApass
set vcl ust er 2 enabl e
set vdomdomai n_2 domai n_3
end
end
end
The following example shows how to change the device priority of the primary unit to 200 so that this
cluster unit always becomes the primary unit. When you log into the cluster you are actually
connecting to the primary unit. When you change the device priority of the primary unit this change
only affects the primary unit because the device priority is not synchronized to all cluster units. After
you enter the following commands the cluster renegotiates and may select a new primary unit.
conf i g syst emha
set pr i or i t y 200
end
The following example shows how to change the device priority of a subordinate unit to 255 so that this
subordinate unit becomes the primary unit. This example involves connecting to the cluster CLI and
using the execut e ha manage 0 command to connect to the highest priority subordinate unit. After
you enter the following commands the cluster renegotiates and selects a new primary unit.
execut e ha manage 0
conf i g syst emha
end
The following example shows how to change the device priority of the primary unit in virtual cluster 2.
The example involves connecting to the virtual cluster CLI and changing the global configuration. In
the example virtual cluster 2 has already been enabled so all you have to do is use the conf i g
secondar y- vcl ust er command to configure virtual cluster 2.
conf i g gl obal
conf i g syst emha
344 01-30005-0015-20070803
ha system
end
end
end
The following example shows how to change the default heartbeat interface configuration so that the
port4 and port1 interfaces can be used for HA heartbeat communication and to give the port4 interface
the highest heartbeat priority so that port4 is the preferred HA heartbeat interface.
conf i g syst emha
set hbdev por t 4 100 por t 1 50
end
The following example shows how to enable monitoring for the external, internal, and DMZ interfaces.
conf i g syst emha
set moni t or ext er nal i nt er nal dmz
end
The following example shows how to configure weighted round robin weights for a cluster of three
FortiGate units. You can enter the following commands to configure the weight values for each unit:
conf i g syst emha
set schedul e wei ght - r ound- r obi n
set wei ght 0 1
set wei ght 1 3
set wei ght 2 3
end
These commands have the following results:
The first connection is processed by the primary unit (priority 0, weight 1)
The next three connections are processed by the first subordinate unit (priority 1, weight 3)
The next three connections are processed by the second subordinate unit (priority 2, weight 3)
The subordinate units process more connections than the primary unit, and both subordinate units, on
average, process the same number of connections.
This example shows how to display the settings for the syst emha command.
get syst emha
This example shows how to display the configuration for the syst emha command.
show syst emha
Command History
Table 5: Example weights for three cluster units
Cluster unit priority Weight
0 1
1 3
2 3
FortiOS v2.80 MR2 Added l oad- bal ance- al l keyword.
system ha
01-30005-0015-20070803 345
FortiOS v2.80 MR5 Added r out e- hol d, r out e- wai t , and r out e- t t l keywords.
FortiOS v2.80 MR6 Added aut hent i cat i on, ar ps, encr ypt i on, hb- l ost - t hr eshol d, hel o-
hol ddown, and hb- i nt er val keywords.
FortiOS v2.80 MR7 Changes to the wei ght keyword.
FortiOS v2.80 MR10 New l i nk- f ai l ed- si gnal keyword.
FortiOS v3.0 Added gr oupname, sessi on- pi ckup, sync- conf i g, vdom, vcl ust er 2, and
conf i g secondar y- vcl ust er keywords. The moni t or and hbdev functionality has
been simplified; priority numbers are no longer supported.
FortiOS v3.0 MR3 Added uni nt er r upt abl e- upgr ade keyword.
FortiOS v3.0 MR4 Priorities added back to the hbdev keyword.
FortiOS v3.0 MR5 In a virtual cluster configuration over r i de is enabled for virtual cluster 1 and virtual cluster
2 when you enter set vcl ust er 2 enabl e to enable virtual cluster 2.
346 01-30005-0015-20070803
interface system
interface
Use this command to edit the configuration of a FortiGate physical interface, VLAN subinterface, IEEE
802.3ad aggregate interface, redundant interface or IPSec tunnel interface.
In the following table, VLAN subinterface can be substituted for interface in most places except that
you can only configure VLAN subinterfaces with static IP addresses. Use the edit command to add a
VLAN subinterface.
Some keywords are specific to aggregate interfaces. These appear at the end of the list of commands
under variables for aggregate and redundant interfaces (models 800 and higher only) on page 359.
Entering a name string for the edi t keyword that is not the name of a physical interface adds a VLAN
subinterface.
set al i as <name_st r i ng>
set ar pf or war d {enabl e | di sabl e}
set aut h- t ype <ppp_aut h_met hod>
set bf d {enabl e | di sabl e | gl obal }
set bf d- desi r ed- mi n- t x 
set bf d- det ect - mul t <mul t i pl i er >
set bf d- r equi r ed- mi n- r x 
set br oadcast - f or war d {enabl e | di sabl e}
set connect i on {enabl e | di sabl e}
set ddns {enabl e | di sabl e}
set ddns- domai n <ddns_domai n_name>
set ddns- passwor d <ddns_passwor d>
set ddns- pr of i l e- i d <dnsar t _pr of i l e_i d>
set ddns- ser ver <ddns_ser vi ce>
set ddns- sn <ddns_sn>
set ddns- user name <ddns_user name>
set def aul t gw {enabl e | di sabl e}
set det ect ser ver <pi ngser ver _i pv4> [ pi ngser ver 2_i pv4]
set descr i pt i on <t ext >
set dhcp- r el ay- i p <dhcp_r el ay1_i pv4> {. . . <dhcp_r el ay8_i pv4>}
set dhcp- r el ay- ser vi ce {enabl e | di sabl e}
set dhcp- r el ay- t ype {i psec | r egul ar }
set di sc- r et r y- t i meout <pppoe_r et r y_seconds>
set di st ance <admi n_di st ance>
set dns- ser ver - over r i de {enabl e | di sabl e}
set f or t i manager - di scover - hel per {enabl e | di sabl e}
set f or war d- domai n <col l i si on_gr oup_number >
set f p- anomal y [ . . . ]
set gat eway_addr ess 
set gwdet ect {enabl e | di sabl e}
set i cmp- r edi r ect {enabl e | di sabl e}
Note: VLAN communication over the backplane interfaces is available for FortiGate-5000 modules
installed in a FortiGate-5020 chassis. The FortiSwitch-5003 does not support VLAN-tagged packets so
VLAN communication is not available over the FortiGate-5050 and FortiGate-5140 chassis backplanes.
system interface
01-30005-0015-20070803 347
set i dent - accept {enabl e | di sabl e}
set i dl e- t i meout <pppoe_t i meout _seconds>
set i nbandwi dt h <bandwi dt h_i nt eger >
set i nt er f ace <por t _name>
set i p 
set i pmac {enabl e | di sabl e}
set i punnumber ed <unnumber ed_i pv4>
set l 2f or war d {enabl e | di sabl e}
set l 2t p- cl i ent {enabl e | di sabl e}
set l acp- ha- sl ave {enabl e | di sabl e}
set l acp- mode {act i ve | passi ve | st at i c}
set l acp- speed {f ast | sl ow}
set l cp- echo- i nt er val <l cp_i nt er val _seconds>
set l cp- max- echo- f ai l ur es <mi ssed_echoes>
set macaddr <mac_addr ess>
set medi at ype {ser des | sgmi i }
set member . . .
set mode 
set mt u <mt u_byt es>
set mt u- over r i de {enabl e | di sabl e}
set mux- t ype { l l c- encaps | vc- encaps}
set net bi os- f or war d {di sabl e | enabl e}
set padt - r et r y- t i meout <padt _r et r y_seconds>
set passwor d <pppoe_passwor d>
set peer - i nt er f ace 
set pr i or i t y <l ear ned_pr i or i t y>
set r emot e- i p 
set speed 
set st at us {down | up}
set st pf or war d {enabl e | di sabl e}
set subst {enabl e | di sabl e}
set subst i t ut e- dst - mac <dest i nat i on_mac_addr es>
set t cp- mss <max_send_byt es>
set t ype {adsl | aggr egat e | l oopback | physi cal | r edundant |
t unnel | vl an | wi r el ess}
set user name <pppoe_user name>
set vci 
set vdom<vdom_name>
set vl anf or war d {enabl e | di sabl e}
set vl ani d 
set vpi 
set wi f i - acl {al l ow | deny}
set wi f i - aut h {PSK | RADI US}
set wi f i - br oadcast _ssi d {enabl e | di sabl e}
set wi f i - encr ypt {AES | TKI P}set wi f i - f r agment _t hr eshol d
<packet _si ze>
set wi f i - key <hex_key>
set wi f i - mac- f i l t er {enabl e | di sabl e}
set wi f i - passphr ase <pass_st r >
set wi f i - r adi us- ser ver <ser ver _name>
set wi f i - r t s_t hr eshol d 
set wi f i - secur i t y <sec_mode>
set wi f i - ssi d 
348 01-30005-0015-20070803
interface system
set wi ns- i p <wi ns_ser ver _i p>
conf i g i pv6
set i p6- addr ess 
set i p6- al l owaccess <access_t ypes>
set i p6- def aul t - l i f e 
set i p6- hop- l i mi t 
set i p6- l i nk- mt u 
set i p6- manage- f l ag {di sabl e | enabl e}
set i p6- max- i nt er val <adver t s_max_seconds>
set i p6- mi n- i nt er val <adver t s_mi n_seconds>
set i p6- ot her - f l ag {di sabl e | enabl e}
set i p6- r eachabl e- t i me <r eachabl e_msecs>
set i p6- r et r ans- t i me <r et r ans_msecs>
set i p6- send- adv {enabl e | di sabl e}
conf i g i p6- pr ef i x- l i st
edi t 
set aut onomous- f l ag {enabl e | di sabl e}
set onl i nk- f l ag {enabl e | di sabl e}
set pr ef er r ed- l i f e- t i me <seconds>
set val i d- l i f e- t i me <seconds>
end
end
end
conf i g l 2t p- cl i ent - set t i ngs
set user <user name>
set passwor d <pwd>
set peer - host <host name>
set peer - mask <net mask>
set peer - por t <por t _i nt eger
set mt u <byt es>
set di st ance <admi n_di st ance>
set def aul t gw {enabl e | di sabl e}
end
edi t <secondar y_i p_i d>
set det ect ser ver <pi ngser ver _i pv4> [ pi ngser ver 2_i pv4]
set gwdet ect {enabl e | di sabl e}
set i p 
end
end
conf i g wi f i - mac_l i st
edi t <ent r y_number >
end
Note: A VLAN cannot have the same name as a zone or a virtual domain.
system interface
01-30005-0015-20070803 349
al l owaccess
<access_t ypes>
Enter the types of management access permitted on this
interface or secondary IP address.
Valid types are: ht t p ht t ps pi ng snmp ssh t el net .
Separate each type with a space.
If you want to add or remove an option from the list, retype the
list as required.
Varies for
each
interface.
al i as <name_st r i ng> Enter an alias name for the interface. Once configured, the
alias will be displayed with the interface name to make it easier
to distinguish.
This option is only available when interface type is physi cal .
ar pf or war d
Enable or disable forwarding of ARP packets on this interface.
ARP forwarding is required for DHCP relay and MS Windows
Client browsing.
enabl e
aut h- t ype
<ppp_aut h_met hod>
Select the PPP authentication method for this interface.
Enter aut o to select authentication method automatically
Enter chap for CHAP
Enter mschapv1 for Microsoft CHAP v1
Enter mschapv2 for Microsoft CHAP v2
Enter pap for PAP
This is available only when mode is pppoe, and t ype of
interface is physi cal .
auto
bf d {enabl e | di sabl e |
gl obal }
The status of Bidirectional Forwarding Detection (bfd) on this
interface:
enable - enable BFD and ignore global BFD configuration
disable - disable BFD on this interface
global - BFD behavior on this interface will be based on the
global configuration for BFD
The other bfd* keywords are visible only if bfd is enabled.
gl obal
bf d- desi r ed- mi n- t x

Enter the minimum desired interval for the BFD transmit
interval. Valid range is from 1 to 100 000 msec.
50
bf d- det ect - mul t
<mul t i pl i er >
Select the BFD detection multiplier. 3
bf d- r equi r ed- mi n- r x

Enter the minimum required interface for the BFD receive
interval. Valid range is from 1 to 100 000 msec.
50
br oadcast - f or war d
Select to enable broadcast forwarding. Use with caution. di sabl e
ddns {enabl e | di sabl e} Enable or disable using a Dynamic DNS service (DDNS). If this
interface of your FortiGate unit uses a dynamic IP address, you
can arrange with a DDNS service provider to use a domain
name to provide redirection of traffic to your network whenever
the IP address changes.
DDNS is available only in NAT/Route mode.
di sabl e
ddns- domai n
<ddns_domai n_name>
Enter the fully qualified domain name to use for the DDNS. This
is the domain name you have registered with your DDNS.
This is available only when ddns is enabled, but ddns-
ser ver is not set to dnsar t . com.
No default.
ddns- passwor d
<ddns_passwor d>
Enter the password to use when connecting to the DDNS
server.
This is available only when ddns is enabl ed, but ddns-
ser ver is not set to di pdns. net .
No default.
ddns- pr of i l e- i d
<dnsar t _pr of i l e_i d>
Enter your DDNS profile ID. This keyword is available instead
of ddns- domai n.
This is only available when ddns is enabled, and ddns-
ser ver is set to dnsar t . com.
No default.
350 01-30005-0015-20070803
interface system
ddns- ser ver
<ddns_ser vi ce>
Select a DDNS server to use. The client software for these
services is built into the FortiGate firmware. The FortiGate unit
can only connect automatically to a DDNS server for these
supported clients.
dhs. or g supports members.dhs.org and dnsalias.com.
di pdns. net supports dipdnsserver.dipdns.com.
dnsar t . comsupports www.dnsart.com.
dyndns. or g supports members.dyndns.org.
dyns. net supports www.dyns.net.
now. net . cn supports ip.todayisp.com.
ods. or g supports ods.org.
t zo. comsupports rh.tzo.com.
vavi c. comsupports ph001.oray.net.
This is available only when ddns is enabled.
No default.
ddns- sn <ddns_sn> Enter your DDNS serial number.
This is available only if ddns is enabl ed, and ddns- ser ver
is set to di pdns. net . This keyword is available instead of
ddns- user name and ddns- passwor d.
No default.
ddns- user name
<ddns_user name>
Enter the user name to use when connecting to the DDNS
server.
This is available when ddns is enabled, but ddns- ser ver is
not set to di pdns. net .
No default.
def aul t gw
Enable or disable the interface as the default gateway. di sabl e
descr i pt i on <t ext > Optionally, enter up to 63 characters to describe this interface. No default.
det ect ser ver
<pi ngser ver _i pv4>
[ pi ngser ver 2_i pv4]
Add the IP address of a ping server. A ping server is usually the
next hop router on the network connected to the interface. If
gwdet ect is enabled, the FortiGate unit confirms connectivity
with the server at this IP address. Adding a ping server is
required for routing failover.
Optionally you can add 2 ping servers. The ping will be sent to
both at the same time, and only when neither server responds
will gwdet ect fail.
A primary and secondary ping server IP address can be the
same.
This is available only in NAT/Route mode.
No default.
dhcp- r el ay- i p
<dhcp_r el ay1_i pv4> {. . .
<dhcp_r el ay8_i pv4>}
Set DHCP relay IP addresses. You can specify up to eight
DHCP relays. Replies from all DHCP servers are forwarded
back to the client. The client responds to the offer it wants to
accept.
Do not set dhcp- r el ay- i p to 0.0.0.0.
No default.
dhcp- r el ay- ser vi ce
Enable to provide DHCP relay service on this interface. The
DHCP type relayed depends on the setting of dhcp- r el ay-
t ype.
There must be no other DHCP server of the same type (regular
or ipsec) configured on this interface.
di sabl e
dhcp- r el ay- t ype {i psec |
r egul ar }
Set dhcp_t ype to i psec or r egul ar depending on type of
firewall traffic.
r egul ar
di sc- r et r y- t i meout
<pppoe_r et r y_seconds>
Set the initial discovery timeout in seconds. The time to wait
before retrying to start a PPPoE discovery. Set
di sc- r et r y- t i meout to 0 to disable.
mode must be set to pppoe.
1
system interface
01-30005-0015-20070803 351
di st ance
<admi n_di st ance>
Configure the administrative distance for routes learned
through PPPoE or DHCP. Using administrative distance you
can specify the relative priorities of different routes to the same
destination. A lower administrative distance indicates a more
preferred route. Distance can be an integer from 1-255. See
also router static distance <distance> on page 259
mode must be set to dhcp or pppoe for this keyword to be
available.
1
dns- ser ver - over r i de
Enable to allow the interface to use DNS server addresses it
acquired via DHCP or PPPoe.
mode must be set to dhcp or pppoe.
di sabl e
edi t Edit an existing interface or create a new VLAN interface. None.
edi t Enter the IPv6 prefix you want to configure. For settings, see
the edit <ipv6_prefix>variables section of this table.
None.
edi t <secondar y_i p_i d> Enter an integer identifier, e.g., 1, for the secondary ip address
that you want to configure.
None.
f or t i manager - di scover -
hel per {enabl e |
di sabl e}
When enabled, this the FortiGate unit will act as a relay
between a FortiManager and FortiClient units if they are on
different networks.
di sabl e
f or war d- domai n
<col l i si on_gr oup_number >
Specify the collision domain to which this interface belongs.
Layer 2 broadcasts are limited to the same group. By default,
all interfaces are in group 0.
Collision domains prevent the forwarding of ARP packets to all
VLANs on an interface. Without collision domains, duplicate
MAC addresses on VLANs may cause ARP packets to be
duplicated. Duplicate ARP packets can cause some switches to
reset.
This command is available in Transparent mode only. For more
information see Working with virtual domains on page 51.
0
f p- anomal y [ . . . ] Select which applications to enable for per-port fast path
anomaly protection.
You can select multiple anomalies from the list.
The default setting is disabled.
This option is available only on AMC interfaces found on AMC
cards.
di sabl e
gwdet ect
Enable or disable confirming connectivity with the server at the
det ect ser ver IP address. The frequency with which the
FortiGate unit confirms connectivity is set using the f ai l t i me
and i nt er val keywords in the command system global on
page 326.
di sabl e
i cmp- r edi r ect
Disable to stop ICMP redirect from sending from this interface. enabl e
i dent - accept
Enable or disable passing ident packets (TCP port 113) to the
firewall policy. If set to disable, the FortiGate unit sends a TCP
reset packet in response to an ident packet.
di sabl e
i dl e- t i meout
<pppoe_t i meout _seconds>
Disconnect if the PPPoE connection is idle for the specified
number of seconds. Set to zero to disable this feature.
This is available when mode is set to pppoe.
0
i nbandwi dt h
Enter the Kb/sec limit for incoming traffic for this interface.
Enter 0 for unlimited bandwidth.
0
i nt er f ace <por t _name> Enter the physical interface the virtual interface is linked to.
This is available only when adding virtual interfaces such as
VLANs and VPNs.
None.
352 01-30005-0015-20070803
interface system
i p Enter the interface IP address and netmask.
This is not available if mode is set to dhcp or pppoe. You can
set the IP and netmask, but it will not display.
The IP address cannot be on the same subnet as any other
interface.
Varies for
each
interface.
i pmac {enabl e | di sabl e} Enable or disable IP/MAC binding for the specified interface.
See ipmacbinding setting on page 86 and ipmacbinding
table on page 88 for information about configuring IP/MAC
binding settings.
di sabl e
i punnumber ed
<unnumber ed_i pv4>
Enable IP unnumbered mode for PPPoE. Specify the IP
address to be borrowed by the interface. This IP address can
be the same as the IP address of another interface or can be
any IP address.
This is available only when mode is pppoe.
The Unnumbered IP may be used for PPPoE interfaces for
which no unique local address is provided. If you have been
assigned a block of IP addresses by your ISP for example, you
can add any of these IP addresses to the Unnumbered IP.
No default.
l 2f or war d
Set the state of layer 2 forwarding for this interface. Enter one
of:
enabl e
di sabl e
di sabl e
l cp- echo- i nt er val
<l cp_i nt er val _seconds>
Set the interval in seconds between PPPoE LCP echo
requests.
5
l cp- max- echo- f ai l ur es
<mi ssed_echoes>
Set the maximum number of missed LCP echoes before the
PPPoE link is disconnected.
3
l og {enabl e | di sabl e} Enable or disable traffic logging of connections to this interface. di sabl e
macaddr <mac_addr ess> Override the factory set MAC address of this interface by
specifying a new MAC address. Use the form xx:xx:xx:xx:xx:xx.
Factory set.
medi at ype
{ser des | sgmi i }
Select SERDES or SGMII card type for your FB4 card.
This is only available when the interface type is AMC.
ser des
mode Configure the connection mode for the interface as one of:
st at i c, dhcp, or pppoe.
st at i c - configure a static IP address for the interface.
dhcp - configure the interface to receive its IP address from
an external DHCP server.
pppoe -configure the interface to receive its IP address from
an external PPPoE server. This is available only in
NAT/Route mode.
pppoa - configure the interface to receive its IP address from
an external PPPoA server. This is available only in
NAT/Route mode on models with ADSL modem.
eoa - Ethernet over ATM
ipoa - IP over ATM (also known as bridged mode).
This is only available in NAT/Route mode.
st at i c
system interface
01-30005-0015-20070803 353
mt u <mt u_byt es> Set a custom maximum transmission unit (MTU) size in bytes.
Ideally set mt u to the size of the smallest MTU of all the
networks between this FortiGate unit and the packet
destination.
<mt u_byt es>valid ranges are:
68 to 1 500 bytes in st at i c mode
576 to 1 500 bytes in dhcp mode
576 to 1 492 bytes in pppoe mode.
up to 16 110 bytes in jumbo frames (only supported on high
end FortiGate models)
In Transparent mode, if you change the MTU of an interface,
you must change the MTU of all interfaces to match the new
MTU.
If you configure jumbo frames on your FortiGate unit, all other
network equipment on the route to the destination must also
support jumbo frames.
You can only set the MTU of a physical interface. All virtual
interfaces will inherit that MTU from the physical parent
interface.
mt u is available only when mt u- over r i de is enabled.
1500
mt u- over r i de
Select enable to use custom MTU size instead of default
(1 500). This is available for physical interfaces only.
If you change the MTU, you must reboot the FortiGate unit to
update the MTU values of the VLANs on this interface.
FortiGate models 3000 and larger support jumbo frames. For
more information on jumbo frames, see Fortinet Administration
Guide.
di sabl e
net bi os- f or war d
Select enable to forward NetBIOS broadcasts to a WINS
server. Use wins-ip <wins_server_ip> to set the WINS server
IP address.
di sabl e
padt - r et r y- t i meout
<padt _r et r y_seconds>
Initial PPPoE Active Discovery Terminate (PADT) timeout in
seconds. Use this timeout to shut down the PPPoE session if it
is idle for this number of seconds. PADT must be supported by
your ISP.
This is available in NAT/Route mode when mode is pppoe.
1
passwor d
<pppoe_passwor d>
Enter the password to connect to the PPPoE server.
This is available in NAT/Route mode when mode is pppoe.
No default.
peer - i nt er f ace

Select an interface to be used in TP mode, when the FortiGate
unit cannot find the destination MAC address in the local table.
This can happen during IPS test.
The peer-interface cannot be the same interface, but it must be
in the same VDOM.
This option is only available in Transparent mode.
pr i or i t y
<l ear ned_pr i or i t y>
Enter the priority of routes using this interface.
This is only available when mode is pppoe.
No default.
r emot e- i p Enter an IP address for the remote end of a tunnel interface.
If you want to use dynamic routing with the tunnel, or be able to
ping the tunnel interface, you must specify an address for the
remote end of the tunnel in r emot e- i p and an address for this
end of the tunnel in i p.
This is available only if t ype is t unnel .
No default.
354 01-30005-0015-20070803
interface system
speed The interface speed:
aut o, the default speed. The interface uses auto-negotiation
to determine the connection speed. Change the speed only if
the interface is connected to a device that does not support
auto-negotiation.
Speed options vary for different models and interfaces. Enter a
space and a ? after the speed keyword to display a list of
speeds available for your model and interface.
You cannot change the speed for interfaces that are 4-port
switches. This includes the internal interfaces of FortiGate
models 60, 60M, 100A, 200A, and FortiWiFi-60. This also
includes the LAN interface of the FortiGate-500A.
aut o
st at us {down | up} Start or stop the interface. If the interface is stopped, it does not
accept or send packets.
If you stop a physical interface, associated virtual interfaces
such as VLAN interfaces will also stop.
up
( down for
VLANs)
st pf or war d
Enable or disable forward Spanning Tree Protocol (STP)
packets through this interface.
di sabl e
subst {enabl e | di sabl e} Enter enabl e to use a substitute destination MAC address for
this address.
di sabl e
subst i t ut e- dst - mac
<dest i nat i on_mac_addr es>
Enter the substitute destination MAC address to use when
subst is enabled. Use the xx:xx:xx:xx:xx:xx format.
No default.
t cp- mss <max_send_byt es> Enter the FortiGate units maximum sending size for TCP
packets.
No default.
system interface
01-30005-0015-20070803 355
t ype {adsl | aggr egat e |
l oopback | physi cal |
r edundant | t unnel |
vl an | wi r el ess}
Enter the type of interface. Note:
adsl is available only on FortiGate model 60ADSL. The
ADSL FortiGate model has an internal ADSL modem and this
is a physical interface to connect to your ADSL service. For
ADSL-specific keywords see var i abl es f or ADSL
i nt er f ace ( model 60ADSL onl y) on page 358.
aggr egat e is available only on FortiGate models 800 and
higher. Aggregate links use the 802.3ad standard to group up
to 8 interfaces together. For aggregate specific keywords see
variables for aggregate and redundant interfaces (models
800 and higher only) on page 359.
l oopback is a virtual interface that is always up. This
interfaces status and link status are not affected by external
changes. It is primarily used for blackhole routing - any traffic
routed to this interface is dropped. It may also be useful in
some routing situations. loopback interfaces have no dhcp
settings, no forwarding, no mode, or dns settings. You can
only create a loopback interface from the CLI.
r edundant is used to group 2 or more interfaces together for
reliability. Only one interface is in use at any given time. If the
first interface fails, traffic continues uninterrupted as it
switches to the next interface in the group. This is useful in
HA configurations. The order interfaces become active in the
group is determined by the order you specify using the set
member keyword.
t unnel is for reference only - you cannot create tunnel
interfaces using this command. Create GRE tunnels using the
system gre-tunnel command. Create IPSec tunnels using the
vpn i psec- i nt f phase1 command.
vl an is for virtual LAN interfaces. This is the type of interface
created by default on any existing physical interface. VLANs
increase the number of network interfaces beyond the
physical connections on the unit.
wi r el ess applies only to the FortiWiFi-60A and FortiWiFi-
60AM units.
vl an for
newly
created
interface,
physi cal
otherwise.
user name
<pppoe_user name>
Enter the user name used to connect to the PPPoE server.
This is only available in NAT/Route mode when mode is set to
pppoe.
No default.
vdom<vdom_name> Enter the name of the virtual domain to which this interface
belongs.
When you change this keyword, the physical interface moves to
the specified virtual domain. Firewall IP pools and virtual IP
previously added for this interface are deleted. You should also
manually delete any routes that include this interface as they
may now be inaccessible.
For more about VDOMs, see the FortiGate VLANs and
VDOMs Guide.
root
vl anf or war d
Enable or disable forwarding of traffic between VLANs on this
interface. When disabled, all VLAN traffic will only be delivered
to that VLAN only.
enabl e
vl ani d Enter a VLAN ID that matches the VLAN ID of the packets to be
received by this VLAN subinterface.
The VLAN ID can be any number between 1 and 4096 but must
match the VLAN ID added by the IEEE 802.1Q-compliant
router on the other end of the connection. Two VLAN
subinterfaces added to the same physical interface cannot
have the same VLAN ID. However, you can add two or more
VLAN subinterfaces with the same VLAN ID to different
physical interfaces, and you can add more multiple VLANs with
different VLAN IDs to the same physical interface.
This is available only when editing an interface with a type of
VLAN.
For more about VLANs, see the FortiGate VLANs and
VDOMs Guide.
No default.
356 01-30005-0015-20070803
interface system
wi ns- i p <wi ns_ser ver _i p> Enter the IP address of a WINS server to which to forward
NetBIOS broadcasts. This WINS server address is only used if
net bi os- f or war d is enabled.
No default.
WiFi keywords These keywords apply only to the FortiWiFi-60A and FortiWiFi-60AM unit
when t ype is wi r el ess.
mac <mac_addr ess> Enter a MAC address for the MAC filter list. This is used in the
conf i g wi f i - mac_l i st subcommand.
No default.
wi f i - acl {al l ow | deny} Select whether MAC filter list allows or denies access. deny
wi f i - aut h {PSK | RADI US} Select either Pre-shared Key (PSK) or RADIUS to authenticate
users connecting to this interface.
This is available only when wi f i - secur i t y is set to WPA.
PSK
wi f i - br oadcast _ssi d
Enable if you want FortiWiFi-60 to broadcast its SSID. di sabl e
wi f i - encr ypt
{AES | TKI P}
Select either Advanced Encryption Standard (AES) or Temporal
Key Integrity Protocol (TKIP) for encryption on this WLAN
interface.
This is available only when wi f i - secur i t y is set to WPA.
TKI P
wi f i - f r agment _t hr eshol d
<packet _si ze>
Set the maximum size of a data packet before it is broken into
two or more packets. Reducing the threshold can improve
performance in environments that have high interference.
Range 800-2346.
This is available in AP mode only.
2346
wi f i - key <hex_key> Enter a WEP key. The WEP key must be 10 or 26 hexadecimal
digits (0-9 a-f). For a 64-bit WEP key, enter 10 hexadecimal
digits. For a 128-bit WEP key, enter 26 hexadecimal digits.
wi f i - secur i t y must be set to WEP128 or WEP64.
No default.
wi f i - mac- f i l t er
Enable MAC filtering for the wireless interface. di sabl e
wi f i - passphr ase
<pass_st r >
Enter shared key for WPA_PSK security.
wi f i - secur i t y must be set to WPA_PSK.
No default.
wi f i - r adi us- ser ver
<ser ver _name>
Set RADIUS server name for WPA_RADIUS security.
wi f i - secur i t y must be set to WPA_RADI US.
No default.
wi f i - r t s_t hr eshol d

The Request to Send (RTS) threshold sets the time the unit
waits for Clear to Send (CTS) acknowledgement from another
wireless device. Range 256-2347.
2346
wi f i - secur i t y <sec_mode> Enter security (encryption) mode:
None
Communication is not encrypted.
WEP64
WEP 64-bit encryption
WEP128
WEP 128-bit encryption
WPA_PSK
WPA encryption with pre-shared key
WPA_RADIUS
WPA encryption via RADIUS server.
None
system interface
01-30005-0015-20070803 357
wi f i - ssi d Change the Service Set ID (SSID) as required.
The SSID is the wireless network name that this FortiWiFi-60A
WLAN broadcasts. Users who wish to use the wireless network
should configure their computers to connect to the network that
broadcasts this network name.
fortinet
config ipv6 variables
i p6- addr ess

The interface IPv6 address and netmask. The format for IPv6
addresses and netmasks is described in RFC 3513.
::/0
i p6- al l owaccess
<access_t ypes>
Enter the types of management access permitted on this IPv6
interface.
Valid types are: ht t p ht t ps pi ng snmp ssh t el net .
Separate the types with spaces.
If you want to add or remove an option from the list, retype the
list as required.
Varies for
each
interface.
i p6- def aul t - l i f e

Enter the number, in seconds, to add to the Router Lifetime
field of router advertisements sent from the interface. The valid
range is 0 to 9000.
1800
i p6- hop- l i mi t

Enter the number to be added to the Cur Hop Limit field in the
router advertisements sent out this interface. Entering 0 means
no hop limit is specified. This is available in NAT/Route mode
only.
0
i p6- l i nk- mt u Enter the MTU number to add to the router advertisements
options field. Entering 0 means that no MTU options are sent.
0
i p6- manage- f l ag
Enable or disable the managed address configuration flag in
router advertisements.
di sabl e
i p6- max- i nt er val
<adver t s_max_seconds>
Enter the maximum time interval, in seconds, between sending
unsolicited multicast router advertisements from the interface.
The valid range is 4 to 1800.
600
i p6- mi n- i nt er val
<adver t s_mi n_seconds>
Enter the minimum time interval, in seconds, between sending
unsolicited multicast router advertisements from the interface.
The valid range is 4 to 1800.
198
i p6- ot her - f l ag
Enable or disable the other stateful configuration flag in router
advertisements.
di sabl e
i p6- r eachabl e- t i me
<r eachabl e_msecs>
Enter the number to be added to the reachable time field in the
router advertisements. The valid range is 0 to 3600. Entering 0
means no reachable time is specified.
0
i p6- r et r ans- t i me
<r et r ans_msecs>
Enter the number to be added to the Retrans Timer field in the
router advertisements. Entering 0 means that the Retrans
Timer is not specified.
0
i p6- send- adv
Enable or disable the flag indicating whether or not to send
periodic router advertisements and to respond to router
solicitations.
di sabl e
358 01-30005-0015-20070803
interface system
edit <ipv6_prefix> variables
aut onomous- f l ag
Set the state of the autonomous flag for the IPv6 prefix. Enter
one of:
enabl e
di sabl e
di sabl e
onl i nk- f l ag
Set the state of the on-link flag ("L-bit") in the IPv6 prefix. Enter
one of:
enabl e
di sabl e
pr ef er r ed- l i f e- t i me
<seconds>
Enter the preferred lifetime, in seconds, for this IPv6 prefix. 604800
val i d- l i f e- t i me
<seconds>
Enter the valid lifetime, in seconds, for this IPv6 prefix. 2592000
config l2tp-client-settings variables
For more information on L2TP see vpn l2tp on page 477.
user <user name> Enter the username for this L2TP client. If this username
includes spaces or special characters, enclose it in quotes.
This username is used to connect to the remote peer.
passwor d <pwd> Enter the password for this L2TP client. If this password
This information is used to connect to the remote peer.
peer - host <host name> Enter the host name for this L2TP client. If this hostname
This information is used to connect to the remote peer.
peer - mask <net mask> Enter the IP netmask for the L2TP client peer. This information
is used to connect to the remote peer.
255. 255. 2
55. 255
peer - por t <por t _i nt eger Enter the port number of this L2TP client peer. Valid numbers
are from 0 to 65535.
1701
mt u <byt es> Set a custom maximum transmission unit (MTU) size in bytes.
Ideally set mt u to the size of the smallest MTU of all the
networks between this FortiGate unit and the packet
destination.
1460
di st ance
<admi n_di st ance>
Configure the administrative distance for routes learned
through this peer. Using administrative distance you can
specify the relative priorities of different routes to the same
destination. A lower administrative distance indicates a more
preferred route. Distance can be an integer from 1-255. See
also router static distance <distance> on page 259.
pr i or i t y Enter the priority of routes using this interface. Values can be
from 0 to 255.
0
def aul t gw {enabl e |
di sabl e}
Enable or disable this connection as the default gateway. di sabl e
variables for ADSL interface (model 60ADSL only)
These variables are available only when t ype is adsl
gat eway_addr ess Enter the IP address of the gateway for this interface.
l 2t p- cl i ent
This option enables the configuring of Layer 2Tunneling
Protocol (L2TP) clients. See
mux- t ype { l l c- encaps |
vc- encaps}
Enter the MUX type as either l l c- encaps or vc- encaps.
This information is provided by your ISP.
vci Enter the virtual circuit identification VCI number. Valid numbers
are from 0 to 255. This number is provided by your ISP.
0
system interface
01-30005-0015-20070803 359
vpi Enter the virtual circuit identification VPI number. Valid numbers
are from 0 to 65535. This number is provided by your ISP.
35
variables for aggregate and redundant interfaces (models 800 and higher only)
These variables are available only when t ype is aggr egat e or r edundant .
al gor i t hm{L2 | L3 | L4} Enter the algorithm used to control how frames are distributed
across links in an aggregated interface. The choice of algorithm
determines what information is used to determine frame
distribution. Enter one of:
L2 - use source and destination MAC addresses
L3 - use source and destination IP addresses, fall back to L2
algorithm if IP information is not available
L4 - use TCP, UDP or ESP header information
L4
l acp- ha- sl ave
This option affects how the aggregate interface participates in
Link Aggregation Control Protocol (LACP) negotiation when HA
is enabled for the VDOM. It takes effect only if Active-Passive
HA is enabled and l acp- mode is not st at i c. Enter enabl e
to participate in LACP negotiation as a sl ave or di sabl e to
not participate.
enabl e
l acp- mode {act i ve |
passi ve | st at i c}
Enter one of active, passive, or static.
act i ve - send LACP PDU packets to negotiate link
aggregation connections. This is the default.
passi ve - respond to LACP PDU packets and negotiate
link aggregation connections
st at i c - link aggregation is configured statically
act i ve
l acp- speed {f ast | sl ow} Enter sl owto send LACP PDU packets every 30 seconds to
negotiate link aggregation connections. This is the default.
Enter f ast to send LACP PDU packets every second, as
recommended in the IEEE 802.3ad standard.
This is available only on FortiGate models 800 and higher when
t ype is aggr egat e.
sl ow
member
 
. . .
Specify a list of physical interfaces that are part of an aggregate
or redundant group. To modify a list, enter the complete revised
list.
If VDOMs are enabled, then vdommust be set the same for
each interface before you enter the member list.
An interface is available to be part of an aggregate or
redundant group only if
it is a physical interface, not a VLAN interface
it is not already part of an aggregated or redundant interface
it is in the same VDOM as the aggregated interface
it has no defined IP address and is not configured for DHCP
or PPPoE
it has no DHCP server or relay configured on it
it does not have any VLAN subinterfaces
it is not referenced in any firewall policy, VIP, IP Pool or
multicast policy
it is not an HA heartbeat device or monitored by HA
In a redundant group, failover to the next member interface
happens when the active interface fails or is disconnected.
The order you specify the interfaces in the member list is the
order they will become active in the redundant group. For
example if you enter set member por t 5 por t 1, then port5
will be active at the start, and when it fails or is disconnected
port1 will become active.
This is available only when t ype is aggr egat e or
r edundant .
No default.
360 01-30005-0015-20070803
interface system
Example
This example shows how to set the FortiGate-300 internal interface IP address and netmask to
192. 168. 100. 159 255. 255. 255. 0, and the management access to pi ng, ht t ps, and ssh.
edi t i nt er nal
set al l owaccess pi ng ht t ps ssh
set i p 192. 168. 110. 26 255. 255. 255. 0
end
This example shows how to add a loopback interface with a name of loop1. The IP address is set to
10.0.0.10 255.255.255.0 and bfd is set to global. Any traffic sent to this interface will be dropped, as it
is a blackhole route.
edi t l oop1
set t ype l oopback
set i p 10. 0. 0. 10 255. 255. 255. 0
set bf d gl obal
end
This example shows how to add a secondary IP address and netmask of 192. 176. 23. 180
255. 255. 255. 0 to the internal interface. Also configure pi ng and ht t ps management access to
this secondary IP address. You can not add a secondary IP that is part of the subnet of the original
interface IP address.
edi t i nt er nal
edi t 1
set al l owaccess pi ng ht t ps
set i p 192. 176. 23. 180 255. 255. 255. 0
end
end
Command history
FortiOS v2.80 Substantially revised. IPv6 added.
FortiOS v2.80 MR2 Added net bi os- f or war d, wi ns- i p keywords.
Removed zone keyword, moved to system zone.
FortiOS v2.80 MR3 Added def aul t gwkeyword.
FortiOS v2.80 MR6 Added mt u- over r i de keyword.
FortiOS v3.0 Added i dent - accept keyword.
FortiOS v3.0 MR1 Added <pi ngser ver 2_i p4>to det ect ser ver , aggr egat e and r edundant to t ype
keyword, and added pr i or i t y keyword.
FortiOS v3.0 MR3 DDNS retry interval increased to after 3 failed attempts. Added wi f i - aut h, wi f i -
encr ypt , and show- backpl ane- i nt f keywords. Removed def aul t gwkeyword.
FortiOS v3.0 MR4 Added bf d, bf d- desi r ed- mi n- t x, bf d- det ect - mul t , bf d- r equi r ed- mi n- r x
keywords.
FortiOS v3.0 MR5 Added peer - i nt er f ace, l oopback type, al i as, f p- anomal y, i cmp- r edi r ect ,
and medi at ype. Changes to parameters of aut h- t ype.
system ipv6-tunnel
01-30005-0015-20070803 361
ipv6-tunnel
Use this command to tunnel IPv6 traffic over an IPv4 network.
The IPv6 interface is configured under conf i g syst emi nt er f ace.
set dest i nat i on <t unnel _addr ess>
set i nt er f ace <name>
set i p6 <addr ess_i pv6>
set sour ce <addr ess_i pv4>
end
Example
Use the following commands to set up an IPv6 tunnel.
edi t t est _t unnel
set dest i nat i on 10. 10. 10. 1
set i p6 12AB: 0: 0: CD30: : / 60
set sour ce 192. 168. 50. 1
end
Command history
Related topics
system interface
Note: This command is not available in Transparent mode.
edi t <t unnel _name> Enter a name for the IPv6 tunnel. No default.
dest i nat i on
<t unnel _addr ess>
The destination IPv4 address for this tunnel. 0.0.0.0
i nt er f ace <name> The interface used to send and receive traffic for this tunnel. No default.
i p6 <addr ess_i pv6> The IPv6 address for this tunnel. No default.
sour ce <addr ess_i pv4> The source IPv4 address for this tunnel. 0.0.0.0
FortiOS v2.80 New.
FortiOS v3.0 Changed from ipv6_tunnel to ipv6-tunnel.
FortiOS v3.0 MR1 Removed vdomkeyword.
FortiOS v3.0 MR2 Added command syntax for multiple-vdom mode. Removed i pv6 and
mode keywords.
FortiOS v3.0 MR5 Added i p6
362 01-30005-0015-20070803
mac-address-table system
mac-address-table
Use this command to create a static MAC table. The table can hold up to 200 entries.
This command is available in Transparent mode only.
conf i g syst emmac- addr ess- t abl e
edi t <macaddr ess_hex>
set i nt er f ace 
end
Example
Use the following commands to add a static MAC entry for the internal interface.
conf i g syst emmac- addr ess- t abl e
edi t 11: 22: 33: 00: f f : aa
end
Command history
edi t <macaddr ess_hex> Enter the MAC address as six pairs of hexadecimal digits
separated by colons, e.g.: 11: 22: 33: 00: f f : aa
No
default.
i nt er f ace Enter the name of the interface to which this MAC table entry
applies.
No
default.
FortiOS v2.80 Renamed and Revised. Formerly set syst embr ct l .
system modem
01-30005-0015-20070803 363
modem
Use this command to configure a FortiGate-60M modem or a serial modem interface connected using
a serial converter to the FortiGate 50A or FortiGate-60 USB port.
You can add the information to connect to up to three dialup accounts. The FortiGate-60 or FortiGate-
60M unit modem interface can act as a backup interface for one of the FortiGate ethernet interfaces or
as a standalone dialup interface.
These commands are available in NAT/Route mode only and apply only to models 50A, 60, 60M and
60-WiFi.
conf i g syst emmodem
set al t mode {enabl e | di sabl e}
set aut o- di al {enabl e | di sabl e}
set connect _t i meout <seconds>
set di al - on- demand {enabl e | di sabl e}
set di st ance <di st ance>
set hol ddown- t i mer <seconds>
set i dl e- t i mer <mi nut es>
set i nt er f ace <name>
set mode {r edudant | st andal one}
set passwd1 <passwor d_st r >
set peer _modem1 {act i ont ec | ascendTNT | gener i c}
set phone1 <phone- number >
set r edi al <t r i es_i nt eger >
set user name1 <name_st r >
end
al t mode {enabl e | di sabl e} Enable for installations using PPP in China. enabl e
aut o- di al
Enable to dial the modem automatically if the connection is
lost or the FortiGate unit is restarted.
Thi s i s avai l abl e onl y when di al - on- demand
is set to disabled, and mode is set to st andal one.
disable
connect _t i meout <seconds> Set the connection completion timeout (30 - 255 seconds). 90
di al - on- demand
Enable to dial the modem when packets are routed to the
modem interface. The modem disconnects after the
i dl e- t i mer period.
Thi s i s avai l abl e onl y i f aut o- di al is set to
disabled, and mode is set to st andal one.
disable
364 01-30005-0015-20070803
modem system
di st ance <di st ance> Enter the administrative distance (1-255) to use for the
default route that is automatically added when the modem
connects and obtains an IP address. A lower distance
indicates a more preferred route. See also router static
distance <distance> on page 259
This keyword is useful for configuring redundant routes in
which the modem interface acts as a backup to another
interface.
1
hol ddown- t i mer <seconds> Used only when the modem is configured as a backup for
an interface. Set the time (1-60 seconds) that the FortiGate
unit waits before switching from the modem interface to the
primary interface, after the primary interface has been
restored.
This is available only when mode is set to r edundant .
60
i dl e- t i mer <mi nut es> Set the number of minutes the modem connection can be
idle before it is disconnected.
This is available only if mode is set to st andal one.
5
i nt er f ace <name> Enter an interface name to associate the modem interface
with the ethernet interface that you want to either back up
(backup configuration) or replace (standalone
configuration).
No default.
mode {r edudant |
st andal one}
Enter the required mode:
r edundant
The modem interface automatically takes over from a
selected ethernet interface when that ethernet interface is
unavailable.
st andal one
The modem interface is the connection from the FortiGate
unit to the Internet.
standalone
passwd1 <passwor d_st r > Enter the password used to access the specified dialup
account.
No default.
account.
No default.
account.
No default.
peer _modem1
{act i ont ec | ascendTNT
| gener i c}
If the modem at phone1 is Actiontec or AscendTNT, select
that type, otherwise leave setting as gener i c.
This setting applies to models 50AM, 60M and WiFi-60M
only.
gener i c
peer _modem2
| gener i c}
only.
gener i c
peer _modem3
| gener i c}
only.
gener i c
phone1
<phone- number >
Enter the phone number required to connect to the dialup
account. Do not add spaces to the phone number. Make
sure to include standard special characters for pauses,
country codes, and other functions as required by your
modem to connect to your dialup account.
No default.
phone2 <phone- number > Enter the phone number required to connect to the dialup
No default.
system modem
01-30005-0015-20070803 365
Example
This example shows how to enable the modem and configure the modem to act as a backup for the
WAN1 interface. Only one dialup account is configured. The FortiGate unit and modem will attempt to
dial this account 10 times. The FortiGate unit will wait 5 seconds after the WAN1 interface recovers
before switching back to the WAN1 interface.
conf i g syst emmodem
set act i on di al
set hol ddown- t i mer 5
set i nt er f ace wan1
set passwd1 acct 1passwd
set phone1 1234567891
set r edi al 10
set user name1 acct 1user
end
This example shows how to display the settings for the modemcommand.
get syst emmodem
This example shows how to display the configuration for the modemcommand.
show syst emmodem
Command history
Related topics
system interface
phone3 <phone- number > Enter the phone number required to connect to the dialup
No default.
pr i or i t y Enter the priority of learned routes on this interface.
Valid priorities are from 0 to 4294967295.
0
r edi al <t r i es_i nt eger > Set the maximum number of times (1-10) that the
FortiGate unit dials the ISP to restore an active connection
on the modem interface. Select none to allow the modem
to redial without a limit.
No default.
st at us
Enable or disable modem support. This is equivalent to
bringing an interface up or down.
di sabl e
user name1 <name_st r > Enter the user name used to access the specified dialup
account.
No default.
account.
No default.
account.
No default.
366 01-30005-0015-20070803
npu system
npu
Use this command to configure the Network Processing Unit (NPU) for FortiGate units that support
FB4.
conf i g syst emnpu
set enc- of f l oad- ant i r epl ay {enabl e | di sabl e}
set dec- of f l oad- ant i r epl ay {enabl e | di sabl e}
set of f l oad- i psec- host {enabl e | di sabl e}
set t r af f i c- shapi ng- mode {uni di r ect i on | bi di r ect i on}
next
end
Command history
Note: If you use the traffic-shaping-mode command, the bi di r ect i on option counts twice as much
traffic. You need to allow twice the bandwidth as with unidirection.
enc- of f l oad- ant i r epl ay
Enable this option for the system to offload IPSEC
packet encryption to FB4 when the egress port of the
tunnel is on FB4.
di sabl e
dec- of f l oad- ant i r epl ay
Enable this option for the system to offload IPSEC
packet encryption to FB4 when the ingress port of the
tunnel is on FB4.
enabl e
of f l oad- i psec- host
Enable this option for the system to offload packet
encryption to FB4 when the egress port of this packet
is on FB4.
di sabl e
t r af f i c- shapi ng- mode
{uni di r ect i on | bi di r ect i on}
Select the fast path bandwidth calculation method.
In uni di r ect i on, traffic in each direction is counted
separately. In bi di r ect i on the traffic in both
directions is counted at the same time.
The default value on 3600A models is
bi di r ect i on.
The default value on 3810B models is
uni di r ect i on.
system proxy-arp
01-30005-0015-20070803 367
proxy-arp
Use this command to add IP addresses to MAC address translation entries to the proxy ARP table.
conf i g syst empr oxy- ar p
edi t <t abl e_ent r y>
set i nt er f ace <por t >
set i p 
next
end
Command history
Related topics
system arp-table
get router info bgp
edi t <t abl e_ent r y> Enter the unique ID of the table entry to add or
modify.
No default.
i nt er f ace <por t > Enter the physical port this IP will be associated with. No default.
i p Enter the IP address to associate with this physical
port.
No default.
368 01-30005-0015-20070803
replacemsg admin system
replacemsg admin
Use this command to change the administration disclaimer page.
These are HTML messages with HTTP headers.
conf i g syst emr epl acemsg admi n admi n_di scl ai mer _t ext
set buf f er <message>
set f or mat <f or mat >
set header <header _t ype>
end
Replacement messages can include replacement message tags. When users receive the replacement
message, the replacement message tag is replaced with content relevant to the message. Generally
there is not a large call for these tags in disclaimer pages.
Command history
Note: If you unset the buffer for a replacement message, it will be cleared.
buf f er <message> Type a new replacement message to replace the current replacement
message. Maximum length 8 192 characters.
Depends on
message
type.
f or mat <f or mat > Set the format of the message:
ht ml
t ext
none
No default
header
<header _t ype>
Set the format of the message header:
8bi t
ht t p
none
Depends on
message
type.
Table 6: Replacement message tags
Tag Description
%%AUTH_REDI R_URL%% Link to open a new window. (optional).
%%AUTH_LOGOUT%% Immediately close the connection policy.
%%KEEPALI VEURL%% URL the keep alive page connects to that keeps the connection policy alive. Connects
every %%TI MEOUT%%seconds.
%%TI MEOUT%% Configured number of seconds between %%KEEPALI VEURL%%connections.
system replacemsg alertmail
01-30005-0015-20070803 369
replacemsg alertmail
Alertmail can be configured to alert users or admins about important system events such as blocked
files or viruses detected.
Use this command to change the alertmail pages including:
the block message that alerts users a file transfer was blocked
the critical firewall event message
the hard disk log is full message
the nids event message to notify a network intrusion event has occurred
the virus message to indicate that a message was found
conf i g syst emr epl acemsg al er t mai l aut h_msg_t ype
end
aut h_msg_t ype FortiGuard replacement alertmail message type. One of: No default
al er t mai l -
bl ock
A file download was blocked.
Default message includes name of file.
al er t mai l -
cr i t - event
A critical firewall event occurred.
Default message includes the event type.
al er t mai l -
di sk- f ul l
The hard disk log is full.
al er t mai l -
ni ds- event
An intrusion event occurred.
Default message includes the intrusion type.
al er t mai l -
vi r us
A virus or worm was detected.
Default message includes the virus or worm type.
Depends on
message
type.
ht ml
t ext
none
No default
header
<header _t ype>
8bi t
ht t p
none
Depends on
message
type.
370 01-30005-0015-20070803
replacemsg alertmail system
message, the replacement message tag is replaced with content relevant to the message.
Example
The default message for a detected virus is:
Virus/Worm detected: %%VIRUS%% Protocol: %%PROTOCOL%% Source IP: %%SOURCE_IP%%
Destination IP: %DST_IP%% Email Address From: %%EMAIL_FROM%% Email Address To:
%%EMAIL_TO%%
Command history
Tag Description
%%FI LE%% The name of a file that has been removed from a content stream. This could be a file
that contained a virus or was blocked by antivirus file blocking. %%FI LE%%can be
used in virus and file block messages.
%%VI RUS%% The name of a virus that was found in a file by the antivirus system. %%VI RUS%%can
be used in virus messages
%%URL%% The URL of a web page. This can be a web page that is blocked by web filter content
or URL blocking. %%URL%%can also be used in http virus and file block messages to
be the URL of the web page from which a user attempted to download a file that is
blocked.
%%CRI TI CAL_EVENT%% Added to alert email critical event email messages. %%CRI TI CAL_EVENT%%is
replaced with the critical event message that triggered the alert email.
%%PROTOCOL%% The protocol (HTTP, FTP, POP3, IMAP, SMTP) in which a virus was detected.
%%PROTOCOL%%is added to alert email virus messages.
%%SOURCE_I P%% IP address of the email server that sent the email containing the virus.
%%DEST_I P%% IP address of the users computer that attempted to download the message from
which the file was removed.
%%EMAI L_FROM%% The email address of the sender of the message from which the file was removed.
%%EMAI L_TO%% The email address of the intended receiver of the message from which the file was
removed.
%%NI DS_EVENT%% The IPS attack message. %%NI DS_EVENT%%is added to alert email intrusion
messages.
FortiOS v2.8 New command.
FortiOS v3.0 MR2 Command removed.
FortiOS v3.0 MR3 Command added. Replacement messages increased in size from 4 096 to 8 192 bytes per
message.
system replacemsg auth
01-30005-0015-20070803 371
replacemsg auth
Use this command to change the authentication pages including:
the challenge page that prompts users for additional verification past initial login information
the disclaimer page that notifies users when they are leaving the protected network
the keepalive page that keeps a session open by renewing the connection at a set interval
the failed login page that informs the user of their failed attempt to authenticate themselves and
provides the login prompt for them to try again
the login page presented to users who must authenticate themselves to use firewall policies or
VPNs
the reject page that is displayed when the user rejects the disclaimer page
conf i g syst emr epl acemsg aut h aut h_msg_t ype
end
aut h_msg_t ype FortiGuard replacement message type. One of: No default
aut h-
chal l enge-
page
Challenges the user with a question.
aut h-
di scl ai mer [
1| 2| 3]
Prompts user to accept the displayed disclaimer
when leaving protected network.
The extra pages seamlessly extend the size of the
page from 8 192 characters up 16 384 and 24 576
characters respectively.
aut h-
keepal i ve-
page
Keeps a session open by connecting to renew the
connection policy.
Closing the page will timeout the connection.
aut h- l ogi n-
f ai l ed- page
Displays after user fails to login. This page includes a
failed login message and a login prompt.
aut h- l ogi n-
page
Prompts the user for their username and password to
login.
aut h- r ej ect -
page
Displays when user rejects the disclaimer page.
Depends on
message
type.
372 01-30005-0015-20070803
replacemsg auth system
Requirements for login page
The authentication login page is linked to FortiGate functionality and you must construct it according to
the following guidelines to ensure that it will work.
The login page must be an HTML page containing a form with ACTION="/" and METHOD="POST"
The form must contain the following hidden controls:



The form must contain the following visible controls:


Example
This example shows how to change the authentication login page. You enter the web page content as
one long quoted string, using the backslash (\) character at the end of each line to continue the text
on the next line.
ht ml
t ext
none
No default
header
<header _t ype>
8bi t
ht t p
none
Depends on
message
type.
Tag Description
%%AUTH_REDI R_URL%% Link to open a new window. (optional).
%%AUTH_LOGOUT%% Immediately close the connection policy.
%%FAI LED_MESSAGE%% Message displayed on failed login page after user login fails.
%%KEEPALI VEURL%% URL the keep alive page connects to that keeps the connection policy alive.
Connects every %%TI MEOUT%%seconds.
%%QUESTI ON%% The default login and rejected login pages use this text immediately preceding the
username and password fields. the default challenge page uses this as the challenge
question. These are treated as two different variables by the server.
If you want to use different text, replace %%QUESTI ON%%with the text that you prefer.
%%TI MEOUT%% Configured number of seconds between %%KEEPALI VEURL%%connections.
%%USERNAMEI D%% Username of the user logging in. This tag is used on the login and failed login pages.
%%PASSWORDI D%% Password of the user logging in. This tag is used on the challenge, login and failed
login pages.
system replacemsg auth
01-30005-0015-20070803 373
conf i g syst emr epl acemsg aut h aut h- l ogi n- page
set buf f er " <ht ml ><head> \
<t i t l e>Fi r ewal l Aut hent i cat i on</ t i t l e> \
</ head> \
<body><h4>You must aut hent i cat e t o use t hi s ser vi ce. </ h4> \
<f or mact i on=" / " met hod=" post " > \
 \
<t abl e al i gn=" cent er " bgcol or =" #00cccc" bor der =" 0" \
cel l paddi ng=" 15" cel l spaci ng=" 0" wi dt h=" 320" ><t body> \
<t r ><t h>User name: </ t h> \
<t d></ t d></ t r > \
<t r ><t h>Passwor d: </ t h> \
<t d></ t d> \
</ t r ><t r ><t d col span=" 2" al i gn=" cent er " bgcol or =" #00cccc" > \
 \
 \
</ t d></ t r ></ t body></ t abl e> \
</ f ont ></ f or m></ body></ ht ml >"
set f or mat ht ml
set header ht t p
end
Command history
FortiOS v3.0 aut h category added.
FortiOS v3.0 MR2 Added aut h- chal l enge- page, aut h- di scl ai mer [ 1| 2| 3] - page, aut h-
keepal i ve- page, aut h- l ogi nf ai l ed- page and aut h- r ej ect - page keywor ds.
FortiOS v3.0 MR3 Replacement messages increased in size from 4 096 to 8 192 bytes per message.
374 01-30005-0015-20070803
replacemsg fortiguard-wf system
Use this command to change the default messages that replace a web pages that FortiGuard web
filtering has blocked.
By default, these are a HTML messages.
conf i g syst emr epl acemsg f or t i guar d- wf <f or t i guar d_msg_t ype>
end
Command history
<f or t i guar d_msg_t ype> FortiGuard replacement message type. One of: No default.
f t gd- bl ock FortiGuard blocked a web page.
f t gd- ovr d FortiGuard override form.
ht t p- er r An error occurred when accessing the web
page.
buf f er <message> Type a new replacement message to replace the current
replacement message. Maximum length 8 192 characters.
Depends on
message type.
f or mat <f or mat > Set the format of the message, one of:
ht ml
t ext
none
ht ml
header <header _t ype> Set the format of the message header:
8bi t
ht t p
none.
ht t p
Tag Description
blocked.
FortiOS v2.80 New
FortiOS v2.80 MR2 Changed cer b keyword to cat bl ock.
system replacemsg fortiguard-wf
01-30005-0015-20070803 375
FortiOS v3.0 IM category added.
Changed:
f or t i guar d_wf to f or t i guar d- wf
f t gd_bl ock to f t gd- bl ock
f t gd_ovr d to f t gd- ovr d
ht t p_er r to ht t p- er r
376 01-30005-0015-20070803
replacemsg ftp system
replacemsg ftp
Use this command to change default replacement messages added to FTP sessions when the antivirus
engine blocks a file either because of a matching file pattern or because a virus is detected.
By default, these are text-format messages with no header.
conf i g syst emr epl acemsg f t p <message- t ype>
end
<message- t ype> FTP replacement message type. One of: No default.
f t p- dl - bl ocked Antivirus system blocks a file that
matches a file pattern.
f t p- dl - f i l esi ze Antivirus system blocks an oversize file
(one that is too large to scan).
f t p- dl - i nf ect ed Antivirus system detects a virus in a file
being downloaded and blocks the file.
Depends on
message type.
ht ml
t ext
none
t ext
header <header _t ype> Set the format of the message header, one of:
8bi t
ht t p
none.
none
system replacemsg ftp
01-30005-0015-20070803 377
Example
This example shows how to change the message sent when an FTP download is oversize.
conf i g syst emr epl acemsg f t p f t p- dl - f i l esi ze
set buf f er " Thi s f i l e downl oad was bl ocked because i t i s > 10MB. "
end
Command history
Tag Description
%%QUARFI LENAME%% The name of a file that has been removed from a content stream and added to the
quarantine. This could be a file that contained a virus or was blocked by antivirus file
blocking. %%QUARFI LENAME%%can be used in virus and file block messages.
Quarantining is only available on FortiGate units with a local disk.
blocked.
%%SOURCE_I P%% The IP address from which a virus was received. For email this is the IP address of the
email server that sent the email containing the virus. For HTTP this is the IP address
of the web page that sent the virus.
%%DEST_I P%% The IP address of the computer that would have received the blocked file. For email
this is the IP address of the users computer that attempted to download the message
from which the file was removed.
FortiOS v2.80 New
378 01-30005-0015-20070803
replacemsg hostcheck system
replacemsg hostcheck
These messages apply only to FortiGate model 224B.
Use this command to change default replacement messages that the FortiGate-224B unit uses as part of
the client host check feature. All of the messages are in HTML format.
conf i g syst emr epl acemsg ht t p <message- t ype>
end
<message- t ype> Hostcheck replacement message type, one of: No default.
al l owaccess Access permitted.
deny- access Access denied.
por t al Host check portal with links to
download FortiClient or third-party
antivirus software.
quar ant i ne- access User failed host check and was
quarantined.
r emedy- f ai l ed Remedy did not resolve host check
issue.
scan- access Access permitted through dynamic
policy.
submi t - r esul t Host check completed, submit
result.
Depends on
message type.
ht ml
t ext
none
ht ml
8bi t
ht t p
none
ht t p
system replacemsg hostcheck
01-30005-0015-20070803 379
For additional information about host check replacement messages, see Changing the Host Check
pages in the System Config chapter of the FortiGate Administration Guide.
Command history
Tag Description
%%HC_FC_LI NK%% Link for download of FortiClient software image.
%%HC_REMEDY_LI NK%% Link to re-run host check after installing antivirus software.
%%HC_URL_LI NK%% Link(s) for downloadable third-party antivirus software.
FortiOS v3.0 MR5 New
380 01-30005-0015-20070803
replacemsg http system
replacemsg http
Use this command to change default replacement messages added to web pages when the antivirus
engine blocks a file in an HTTP session because of a matching file pattern or because a virus is detected; or when
web filter blocks a web page.
conf i g syst emr epl acemsg ht t p <message- t ype>
end
<message- t ype> HTTP replacement message type, one of: No default.
bannedwor d The web filter banned word list
blocks a web page.
ht t p- bl ock The antivirus system blocks a
file that matches a file pattern.
ht t p- cl i ent - bannedwor d The antivirus system blocks a
ht t p- cl i ent - bl ock The antivirus system blocks a
ht t p- cl i ent - f i l esi ze The antivirus system blocks a
file that is too large to scan.
ht t p- cl i ent - vi r us The antivirus system blocks a
file that contains a virus.
ht t p- f i l esi ze The antivirus system blocks a
file that is too large to be virus
scanned.
ht t p- vi r us The antivirus system blocks a
file that contains a virus.
i nf cache- bl ock The antivirus system blocks a
URL that has a previously
discovered virus.
ur l - bl ock Web filter URL blocking blocks
a web page.
Depends on
message type.
ht ml
t ext
none
ht ml
8bi t
ht t p
none
ht t p
system replacemsg http
01-30005-0015-20070803 381
Example
This example shows how to change the message that replaces a web page blocked for banned words.
conf i g syst emr epl acemsg ht t p ht t p- cl i ent - bannedwor d
set buf f er " Thi s web page was bl ocked. I t cont ai ns banned wor ds. "
end
Command history
Tag Description
blocked.
%%SOURCE_I P%% The IP address of the web page from which a virus was received.
FortiOS v2.80 New
FortiOS v3.0 MR2 Added infcache-block replacemsg.
382 01-30005-0015-20070803
replacemsg im system
replacemsg im
Use this command to change default replacement messages added to instant messaging and peer-to-peer
sessions when either file-transfer or voice-chat is blocked.
By default, these are text messages with an 8-bit header.
conf i g syst emr epl acemsg i m<message- t ype>
end
<message- t ype> im replacement message type, one of: No default.
i m- f i l e- xf er - bl ock The IM system blocks a file
transfer.
i m- f i l e- xf er - i nf ect ed The IM system blocks a virus-
infected file.
i m- f i l e- xf er - name The IM system blocks a file
due to file block list.
i m- f i l e- xf er - si ze The IM system blocks an
oversize file.
i m- phot o- shar e- bl ock The IM system blocks a photo-
sharing request.
i m- voi ce- chat - bl ock The IM system blocks voice
chat.
Depends on
message type.
ht ml
t ext
none
t ext
8bi t
ht t p
none
8bi t
system replacemsg im
01-30005-0015-20070803 383
Example
This example shows how to change the message added to instant messaging sessions when voice
chat is blocked.
conf i g syst emr epl acemsg i mi m- voi ce- chat - bl ock
set buf f er " Use of chat appl i cat i ons i s not per mi t t ed. "
end
Command history
Tag Description
FortiOS v2.80 New
FortiOS v3.0 IM category added.
384 01-30005-0015-20070803
replacemsg mail system
replacemsg mail
Use this command to change default replacement messages added to email messages when the antivirus
engine blocks a file either because of a matching file pattern or because a virus is detected; or when spam filter
blocks an email.
By default, these are text messages with an 8-bit header.
conf i g syst emr epl acemsg mai l <message- t ype>
end
<message- t ype> mail replacement message type, one of: No default.
emai l - bl ock The antivirus system blocks a file that
matches a file pattern.
emai l - f i l esi ze The antivirus system blocks an email
message that is too large to be virus
scanned.
emai l - vi r us The antivirus system deletes a file from
an email messages that contains a
virus.
par t i al The FortiGate unit deletes a part of a
fragmented email message.
smt p- bl ock The antivirus system blocks a file in an
SMTP email message that matches a
file pattern.
smt p- f i l esi ze The antivirus system blocks an SMTP
email message that is too large to be
virus scanned.
smt p- vi r us The antivirus system deletes a file from
an SMTP email messages that contains
a virus.
Depends on
message type.
ht ml
t ext
none
t ext
8bi t
ht t p
none
8bi t
system replacemsg mail
01-30005-0015-20070803 385
Example
This example shows how to change the email message that is sent to test the alert email system.
conf i g syst emr epl acemsg mai l emai l - vi r us
set buf f er " The at t achment was bl ocked because i t cont ai ns a vi r us. "
end
Command history
Tag Description
%%SOURCE_I P%% IP address of the email server that sent the email containing the virus.
%%DEST_I P%% IP address of the users computer that attempted to download the message from
which the file was removed.
removed.
FortiOS v2.80 New
386 01-30005-0015-20070803
replacemsg nntp system
replacemsg nntp
Use this command to change the net news transfer protocol (NNTP) download pages including:
NNTP download blocked
NNTP download filesize error
NNTP download infected
conf i g syst emr epl acemsg nnt p aut h_msg_t ype
end
aut h_msg_t ype FortiGuard replacement alertmail message type. One of: No default
nnt p- dl -
bl ocked
A file being downloaded has been blocked, and
quarantined.
nnt p- dl -
f i l esi ze
The article is larger than the configured size limit.
nnt p- dl -
i nf ect ed
An attached file has had a virus detected in it. The file
has been quarantined.
Depends on
message
type.
ht ml
t ext
none
No default
header
<header _t ype>
8bi t
ht t p
none
Depends on
message
type.
system replacemsg nntp
01-30005-0015-20070803 387
Example
The default message for a detected virus is:
Virus/Worm detected: %%VIRUS%% Protocol: %%PROTOCOL%% Source IP: %%SOURCE_IP%%
Destination IP: %DST_IP%% Email Address From: %%EMAIL_FROM%% Email Address To:
%%EMAIL_TO%%
Command history
Tag Description
that contained a virus or was blocked by antivirus file blocking. The file may have been
quarantined if a virus was detected. %%FI LE%%can be used in virus and file block
messages.
388 01-30005-0015-20070803
replacemsg spam system
replacemsg spam
Use this command to change default replacement messages added to SMTP email messages when spam
filter blocks an email message. By default, these are text messages with an 8-bit header.
conf i g syst emr epl acemsg spam<message- t ype>
end
<message- t ype> spam replacement message type, one of: No default.
i pbl ockl i st The spam filter IP address list
marked an email message as
reject or as spam.
r ever sedns Spam filtering return-email
DNS check identified a
message as spam.
smt p- spam- bannedwor d The spam filter email address
list marked an SMTP message
as spam.
smt p- spamemai l bl ack The spam filter email address
list marked an email as spam.
smt p- spam- f ei p FortiGuard-Spam blocked an
email based on its originating
IP address.
smt p- spam- f schksum Checksum is in the
FortiGuard- AntiSpam
checksum blacklist.
smt p- spam- f sur l FortiGuard-Spam blocked an
email based on its originating
URL.
smt p- spamhel o An email message is blocked
because the HELO/EHLO
domain is invalid.
smt p- spam- mi meheader The spam MIME headers list
marked a message as spam.
smt p- spam- r bl The spam filter DNSBL &
ORDBL list marked an email
message as reject or as spam.
submi t The spam submit list marked
an email as spam.
Depends on
message type.
system replacemsg spam
01-30005-0015-20070803 389
Example
This example shows how to change the message added to SMTP mail that the spam filter has
blocked.
conf i g syst emr epl acemsg spami pbl ockl i st
set buf f er " Thi s emai l was bl ocked as spam. "
end
Command history
ht ml
t ext
none
t ext
8bi t
ht t p
none
8bi t
Tag Description
removed.
FortiOS v2.80 New
FortiOS v3.0 MR2 Added smt p- spam- f schksumreplacement message.
390 01-30005-0015-20070803
replacemsg sslvpn system
replacemsg sslvpn
Use this command to change the login page presented to SSL-VPN users.
This is an HTML message with an HTTP header.
conf i g syst emr epl acemsg ssl vpn ssl vpn- l ogi n
end
Requirements for login page
The SSL login page is linked to FortiGate functionality and you must construct it according to the
following guidelines to ensure that it will work.
The login page must be an HTML page containing a form with ACTION="%%SSL_ACT%%" and
METHOD="%%SSL_METHOD%%"
The form must contain the %%SSL_LOGIN%% tag to provide the logon form.
The form must contain the %%SSL_HIDDEN%% tag.
Command history
Depends on
message type.
ht ml
t ext
none
No default
header <header _t ype> Set the format of the message header:
8bit
http
none
Depends on
message type.
FortiOS v3.0 sslvpn replacemsg category added.
system session-helper
01-30005-0015-20070803 391
session-helper
A session-helper binds a service to a TCP port. By default, there are 14 session helpers binding
services to standard ports. Use this command to configure a new session helper or to edit an existing
one.
edi t <hel per - number >
set name <hel per - name>
set por t <por t _number >
set pr ot ocol <pr ot ocol _number >
end
Example
Use the following commands to change the ftp port from 21 to 1021:
edi t 11
set por t 1021
end
Command history
Services, ports, and protocols
1 pptp port 1723 protocol 6 8 ftp port 21 protocol 6
2 h323 port 1720 protocol 6 9 rtsp port 554 protocol 6
3 ras port 1719 protocol 17 10 rtsp port 7070 protocol 6
4 tns port 1521 protocol 6 11 pmap port 111 protocol 17
5 tftp port 69 protocol 17 12 mms port 1863 protocol 6
6 rtsp port 23 protocol 6 13 pmap port 111 protocol 6
7 rtsp port 25 protocol 6
edi t <hel per - number > Enter the number of the session-helper that you want to
edit, or enter an unused number to create a new
session-helper.
No default.
name <hel per - name> The name of the session helper. One of:
dns-tcp, dns-udp, ftp, h245I, h245O, h323, ident, mms,
pmap, pptp, ras, rtsp, sip, tftp, tns.
No default.
por t <por t _number > Enter the port number to use for this protocol. No default.
pr ot ocol <pr ot ocol _number > The protocol number for this service, as defined in
RFC 1700.
No default.
FortiOS v2.80 New
FortiOS v3.0 Changed dns_t cp to dns- t cp and dns_udp to dns- udp.
392 01-30005-0015-20070803
session-ttl system
session-ttl
Use this commands to increase or decrease the length of time a TCP session can be idle before being
dropped. You can set the general default timeout or set the timeout for a specific port.
set def aul t <seconds>
conf i g por t
edi t <por t _number >
set t i meout {<seconds> | never }
end
end
Examples
The following command increases the default session timeout:
set def aul t 62000
end
Use the following command to change the session timeout for SSH on port 22 to 3600 seconds.
conf i g por t
edi t 22
set t i meout 3600
end
end
Command history
def aul t <seconds> Enter a the default session timeout in seconds. The valid range is
from 300 - 604800 seconds.
3600
edi t <por t _number > Enter the port number for the TCP session. None.
t i meout
{<seconds> | never }
Enter the number of seconds the session can be idle for on this port.
The valid range is from 300 - 604800 seconds. Optionally you can
select never instead of specifying the number of seconds.
300
Note: While it is possible to set a timeout for a session to a value that never expires, this is not a secure
configuration and should be avoided.
FortiOS v3.0 Changed from sessi on_t t l to sessi on- t t l .
FortiOS v3.0 MR3 Added never keyword to t i meout , and added valid ranges for times for
t i meout and def aul t .
system settings
01-30005-0015-20070803 393
settings
Use this command to change settings that are per VDOM settings such as the operating mode and
default gateway. If the operating mode is Transparent, you must also set the management IP address.
syst emset t i ngs differs from syst emgl obal in that syst emgl obal keywords apply to the
entire FortiGate unit, where syst emset t i ngs keywords apply only to the current VDOM, or the
entire FortiGate unit if VDOMs are not enabled.
set asymr out e {enabl e | di sabl e}
set bf d {enabl e | di sabl e}
set bf d- desi r ed- mi n- t x 
set bf d- r equi r ed- mi n- t x 
set bf d- det ect - mul t <mul t i pl i er
set bf d- dont - enf or ce- sr c- por t {enabl e | di sabl e}
set ecmp- max- pat hs <max_ent r i es>
set gat eway <gw_i pv4>
set gat eway- devi ce 
set i p 
set managei p <manage_i pv4>
set mul t i cast - f or war d {enabl e | di sabl e}
set mul t i cast - t t l - not change {enabl e | di sabl e}
set opmode {nat | t r anspar ent }
set sccp- por t <por t _number >
set si p- hel per {enabl e | di sabl e}
set si p- t cppor t <por t _number >
set si p- udppor t <por t _number >
end
asymr out e
Enable to turn on asymmetric routing on your FortiGate
unit, or this VDOM if you have VDOMs enabled.
This feature should only be used as a temporary check
to troubleshoot a network. It is not intended to be
enabled permanently. When it enabled, many security
features of your FortiGate unit are not enabled. For
more information on
di sabl ed
bf d {enabl e | di sabl e} Enable to turn on bi-directional forwarding detection
(BFD) for this virtual domain, or the whole FortiGate
unit. BFD can be used with OSPF and BGP
configurations, and overridden on a per interface
basis.
di sabl e
bf d- desi r ed- mi n- t x

Enter a value from 1 to 100000 msec as the preferred
minimum transmit interval for BFD packets. If possible
this will be the minimum used.
This is only available when bfd is enabled.
50
394 01-30005-0015-20070803
settings system
bf d- r equi r ed- mi n- t x

Enter a value from 1 to 100000 msec as the required
minimum transmit interval for BFD packets. The
FortiGate unit will not transmit BFD packets at a slower
rate than this.
This is only available when bfd is enabled.
50
bf d- det ect - mul t
<mul t i pl i er
Enter a value from 1 to 50 for the BFD detection
multiplier.
3
bf d- dont - enf or ce- sr c- por t
Enable to not enforce the BFD source port. di sabl e
devi ce Enter the interface to use for management access.
This is the interface to which i p applies. You must set
this when you change opmode from t r anspar ent
to nat .
No default.
ecmp- max- pat hs
<max_ent r i es>
Enter the maximum number of routes allowed to be
included in an Equal Cost Multi-Path (ECMP)
configuration. Set to 1 to disable ECMP routing.
ECMP routes have the same distance and the same
priority, and can be used in load balancing.
10
gat eway <gw_i pv4> Enter the default gateway IP address. You must set
this when you change opmode from nat to
t r anspar ent .
This option not available in transparent mode.
No default.
gat eway- devi ce
Enter the interface through which the default gateway
can be reached. You must set this when you change
opmode from t r anspar ent to nat .
No default.
i p Enter the IP address to use after switching to nat
mode. You must set this when you change opmode
from t r anspar ent to nat .
No default.
managei p <manage_i pv4> Set the IP address and netmask of the Transparent
mode management interface. You must set this when
you change opmode from nat to t r anspar ent .
No default.
mul t i cast - f or war d
Enable or disable multicast forwarding to forward any
multicast IP packets in which the TTL is 2 or higher to
all interfaces and VLAN interfaces except the receiving
interface. The TTL in the IP header will be reduced
by 1.
When multiple VDOMs are configured, this option is
only available within VDOMs.
disable
mul t i cast - t t l - not change
Enable to alter multicast forwarding so that it does not
decrement the time-to-live (TTL) in the packet header.
Disable for normal multicast forwarding behavior.
In multiple VDOM mode, this option is only available
within VDOMs. It is not available at the global level.
disable
opmode {nat | t r anspar ent } Enter the required operating mode.
If you change opmode from nat to t r anspar ent , you
must set managei p and gat eway.
If you change opmode from t r anspar ent to nat , you
must set devi ce, i p, gat eway- devi ce and
gat eway.
nat
sccp- por t <por t _number > Enter the port number from 1 to 65535 of the TCP port
to use to monitor Skinny Client Call protocol (SCCP)
traffic. SCCP is a Cisco proprietary protocol for VoIP.
2000
si p- hel per
Enable to use the helper to add dynamic sip firewall
allow rules.
enabl e
system settings
01-30005-0015-20070803 395
Command history
Related Commands
vdom
si p- t cppor t
<por t _number >
Enter a port number from 1 to 65535 for the TCP port
the SIP proxy will use to monitor for SIP traffic.
5060
si p- udppor t
<por t _number >
Enter a port number from 1 to 65535 for the UDP port
the SIP proxy will use to monitor for SIP traffic.
5060
FortiOS v3.0 New.
opmode moved from syst emgl obal .
managei p moved from syst emmanagei p.
FortiOS v3.0 MR3 Added mul t i cast - f or war d and mul t i cast - t t l - not change.
FortiOS v3.0 MR4 Added asymr out e, bf d, bf d- desi r ed- mi n- t x, bf d- r equi r ed-
mi n- t x, bf d- det ect - mul t , bf d- dont - enf or ce- sr c- por t ,
sccp- por t, si p- hel per , si p- t cppor t , and si p- udppor t .
396 01-30005-0015-20070803
snmp community system
snmp community
Use this command to configure SNMP communities to your FortiGate unit. You add SNMP
communities so that SNMP managers can connect to the FortiGate unit to view system information
and receive SNMP traps. You can add up to three SNMP communities. Each community can have a
different configuration for SNMP queries and traps. Each community can be configured to monitor the
FortiGate unit for a different set of events. You can also the add IP addresses of up to 8 SNMP
managers to each community.
edi t 
set event s <event s_l i st >
set name <communi t y_name>
set quer y- v1- por t <por t _number >
set quer y- v1- st at us {enabl e | di sabl e}
set quer y- v2c- por t <por t _number >
set quer y- v2c- st at us {enabl e | di sabl e}
set t r ap- v1- l por t <por t _number >
set t r ap- v1- r por t <por t _number >
set t r ap- v1- st at us {enabl e | di sabl e}
set t r ap- v2c- l por t <por t _number >
set t r ap- v2c- r por t <por t _number >
set t r ap- v2c- st at us {enabl e | di sabl e}
conf i g host s
edi t <host _number >
set i nt er f ace 
end
end
Note: Part of configuring an SNMP manager is to list it as a host in a community on the FortiGate unit it
will be monitoring. Otherwise the SNMP monitor will not receive any traps from that FortiGate unit, or be
able to query it.
edi t Enter the index number of the community in the SNMP
communities table. Enter an unused index number to
create a new SNMP community.
system snmp community
01-30005-0015-20070803 397
event s <event s_l i st > Enable the events for which the FortiGate unit should
send traps to the SNMP managers in this community.
All events
enabled.
av- f r agment ed A fragmented file has been
detected.
av- over si ze An oversized file has been detected.
av- pat t er n An file matching the AV pattern is
detected.
av- vi r us A virus is detected.
cpu- hi gh CPU usage exceeds threshold.
Default is 80%.
f m- conf - change FortiGate unit is managed by
FortiManager, but the FortiGate
administrator has modified the
configuration directly.
f m- i f - change FortiManager interface changes.
ha- hb- f ai l ur e The HA heartbeat interface has
failed.
ha- member - down The HA cluster member stops.
ha- member - up The HA cluster members starts.
ha- swi t ch The primary unit in a HA cluster fails
and is replaced with a new HA unit.
i nt f - i p The IP address of a FortiGate
interface changes.
i ps- anomal y IPS detects an anomaly.
i ps- si gnat ur e IPS detects an attack.
l og- f ul l Hard drive usage exceeds threshold.
Default is 90%.
mem- l ow Memory usage exceeds threshold.
Default is 80%.
t emper at ur e-
hi gh
Sensors report temperature too high.
This event only available on
FortiGate 5001.
vol t age- al ar m Sensors report the voltage is outside
of the allowed range.
This event only available on
FortiGate 5001.
vpn- t un- down A VPN tunnel stops.
vpn- t un- up A VPN tunnel starts.
name <communi t y_name> Enter the name of the SNMP community. No
default.
quer y- v1- por t <por t _number > Enter the SNMP v1 query port number used for SNMP
manager queries.
161
quer y- v1- st at us
Enable or disable SNMP v1 queries for this SNMP
community.
enabl e
quer y- v2c- por t <por t _number > Enter the SNMP v2c query port number used for SNMP
manager queries.
161
quer y- v2c- st at us
Enable or disable SNMP v2c queries for this SNMP
community.
enabl e
st at us {enabl e | di sabl e} Enable or disable the SNMP community. enabl e
398 01-30005-0015-20070803
snmp community system
Example
This example shows how to add a new SNMP community named SNMP_Com1. The default
configuration can be used in most cases with only a few modifications. In the example below the
community is added, given a name, and then because this community is for an SNMP manager that is
SNMP v1 compatible, all v2c functionality is disabled. After the community is configured the SNMP
manager is added. The SNMP manager IP address is 192.168.20.34 and it connects to the FortiGate
unit internal interface.
edi t 1
set name SNMP_Com1
set quer y- v2c- st at us di sabl e
set t r ap- v2c- st at us di sabl e
conf i g host s
edi t 1
set i p 192. 168. 10. 34
end
end
Command history
t r ap- v1- l por t <por t _number > Enter the SNMP v1 local port number used for sending
traps to the SNMP managers.
162
t r ap- v1- r por t <por t _number > Enter the SNMP v1 remote port number used for sending
162
t r ap- v1- st at us
Enable or disable SNMP v1 traps for this SNMP
community.
enabl e
t r ap- v2c- l por t <por t _number > Enter the SNMP v2c local port number used for sending
162
t r ap- v2c- r por t <por t _number > Enter the SNMP v2c remote port number used for
sending traps to the SNMP managers.
162
t r ap- v2c- st at us
Enable or disable SNMP v2c traps for this SNMP
community.
enabl e
hosts variables
edi t <host _number > Enter the index number of the host in the table. Enter an
unused index number to create a new host.
i nt er f ace Enter the name of the FortiGate interface to which the
SNMP manager connects.
No
Default
i p <addr ess_i pv4> Enter the IP address of the SNMP manager. 0.0.0.0
FortiOS v2.80 MR6 f m_i f _change added to event s
FortiOS v3.0 Event names hyphens changed to underscores.
Changed underscores to hyphens in keywords.
FortiOS v3.0 MR3 New events added: av- f r agment ed, av- over si zed, av- pat t er n,
ha- hb- f ai l ur e, t emper at ur e- hi gh, and vol t age- al ar m. Added
note.
01-30005-0015-20070803 399
Related topics
system snmp sysinfo
400 01-30005-0015-20070803
snmp sysinfo system
snmp sysinfo
Use this command to enable the FortiGate SNMP agent and to enter basic system information used by
the SNMP agent. Use information about the FortiGate unit to identify it. When your SNMP manager
receives traps from the FortiGate unit, you will know which unit sent the information.
set cont act - i nf o 
set descr i pt i on <descr i pt i on>
set l ocat i on <l ocat i on>
set t r ap- hi gh- cpu- t hr eshol d <per cent age>
set t r ap- l og- f ul l - t hr eshol d <per cent age>
set t r ap- l ow- memor y- t hr eshol d <per cent age>
end
Example
This example shows how to enable the FortiGate SNMP agent and add basic SNMP information.
set cont act - i nf o ' Syst emAdmi n ext 245'
set descr i pt i on ' I nt er nal net wor k uni t '
set l ocat i on ' Ser ver RoomA121'
end
Command history
cont act - i nf o Add the contact information for the person responsible for this
FortiGate unit. The contact information can be up to 35
characters long.
No
default
descr i pt i on <descr i pt i on> Add a name or description of the FortiGate unit. The description
No
default
l ocat i on <l ocat i on> Describe the physical location of the FortiGate unit. The system
location description can be up to 35 characters long.
No
default
st at us {enabl e | di sabl e} Enable or disable the FortiGate SNMP agent. di sabl e
t r ap- hi gh- cpu- t hr eshol d
<per cent age>
Enter the percentage of CPU used that will trigger the threshold
SNMP trap for the high-cpu.
80
t r ap- l og- f ul l - t hr eshol d
<per cent age>
Enter the percentage of disk space used that will trigger the
threshold SNMP trap for the log-full.
90
t r ap- l ow- memor y- t hr eshol d
<per cent age>
Enter the percentage of memory used that will be the threshold
SNMP trap for the low-memory.
80
FortiOS v3.0 Changed cont act _i nf o to cont act - i nf o.
FortiOS v3.0 MR2 Added 3 t r ap- commands.
system snmp sysinfo
01-30005-0015-20070803 401
Related topics
402 01-30005-0015-20070803
tos-based-priority system
tos-based-priority
Use this command to prioritize your network traffic based on its type-of-service (TOS).
IP datagrams have a TOS byte in the header (as described in RFC 791). Four bits within this field
determine the delay, the throughput, the reliability, and cost associated with that service. Together
these bits are the tos variable of the tos-based-priority command.
The TOS information can be used to manage network traffic based on the needs of the application or
service. TOS application routing (RFC 1583) is supported by OSPF routing.
conf i g syst emt os- based- pr i or i t y
edi t <name>
set t os 
set pr i or i t y [ hi gh | medi um| l ow]
end
Examples
It is a good idea to have your entry names in the tos-based-priority table and their TOS values be the
same. Otherwise it can become confusing.
conf i g t os- based- pr i or i t y
edi t 1
set t os 1
set pr i or i t y l ow
next
edi t 4
set t os 4
set pr i or i t y medi um
next
edi t 6
set t os 6
set pr i or i t y hi gh
next
end
Command history
Related topics
system global
router ospf
execute ping-options
edi t <name> Enter the name of the link object to create No default.
t os Enter the value of the type of service byte in the IP
datagram header. This value can be from 0 to 15.
0
pr i or i t y [ hi gh | medi um|
l ow]
Select the priority of this type of service as either high,
medium, or low priority. These priority levels conform to the
firewall traffic shaping priorities.
High
system vdom-link
01-30005-0015-20070803 403
vdom-link
Use this command to create an internal point-to-point interface object. This object is a link used to join
virtual domains.
Creating the interface object also creates 2 new interface objects by the name of <name>0 and
<name>1. For example if your object was named v_link, the 2 interface objects would be named
v_link0 and v_link1. You can then configure these new interfaces as you would any other virtual
interface using conf i g syst emi nt er f ace.
When using vdom-links in HA, you can only have vdom-links in one vcluster. If you have vclusters
defined, you must use the vcluster keyword to determine which vcluster will be allowed to contain the
vdom-links.
As of FortiOS v3.0 MR3, inter-VDOM links support BGP routing.
For more information on the vdom-link command see Configuring inter-VDOM routing on page 53
and the FortiGate VLANs and VDOMs Guide.
edi t <name>
end
Examples
In this example you have already created two virtual domains called v1 and v2. You want to set up a
link between them. The following command creates the VDOM link called v12_link. Once you have the
link you need to bind its two ends to the VDOMs it will be working with.
edi t v12_l i nk
end
edi t v12_l i nk0
set vdomv1
next
edi t v12_l i nk1
set vdomv2
end
If you want to delete the vdom-link, you must delete the interface - in the above example this would be:
del et e v12_l i nk
end
edi t <name> Enter the name of the link object to create. You are limited
to 8 characters maximum for the name.
No default.
vcl ust er {1| 2} Select vcluster 1 or 2 as the only vcluster to have inter-
VDOM links.
This option is available only when HA and vclusters are
configured, and there are VDOMs in both vclusters.
404 01-30005-0015-20070803
vdom-link system
Command history
Related topics
system interface
FortiOS v3.0 New command.
FortiOS v3.0 MR4 Added vcl ust er keyword.
system wireless mac-filter
01-30005-0015-20070803 405
wireless mac-filter
Use this command to configure the WLAN interface wireless MAC filter on the FortiWifi-60 unit in AP
mode.
conf i g syst emwi r el ess mac- f i l t er
set def aul t - acl {al l ow | deny}
conf i g mac- l i st
edi t <l i st _number >
set acl {al l ow | deny }
end
end
Examples
This example shows how to enable the MAC filter, specify that unlisted MAC addresses should be
denied access, and add MAC address 12:34:56:78:90:AB to the MAC filter Allow list:
conf i g syst emwi r el ess mac- f i l t er
set def aul t - acl deny
conf i g mac- l i st
edi t 1
set acl al l ow
set mac 12: 34: 56: 78: 90: AB
end
end
Command history
Related topics
system wireless settings
system interface
def aul t - acl {al l ow | deny} Select whether unlisted MAC addresses are allowed or
denied access.
deny
edi t <l i st _number > Enter the number of the MAC filter list that you want to edit.
Enter an unused number to create a new list.
st at us {enabl e | di sabl e} Enable or disable MAC filter.
Status is always di sabl e in Client mode.
di sabl e
mac-list variables
acl {al l ow | deny } Select Allow or Deny for the access control list (ACL). deny
mac <mac_addr ess> Set the MAC address to add to the list. No default.
FortiOS v2.80E New command, incorporating conf i g syst emnet wor k wi r el ess wl an.
FortiOS v3.0 Changed mac_f i l t er to mac- f i l t er , def aul t _acl to def aul t - acl , mac_l i st to
mac- l i st .
406 01-30005-0015-20070803
wireless settings system
wireless settings
Use this command to configure the WLAN interface wireless settings on the FortiWiFi-60 unit.
conf i g syst emwi r el ess set t i ngs
set band {802. 11a | 802. 11b | 802. 11g}
set beacon_i nt er val 
set br oadcast _ssi d {enabl e | di sabl e}
set channel <channel _number >
set f r agment _t hr eshol d <byt es>
set geogr aphy <r egi on>
set key <WEP- key_hex>
set mode <opmode>
set passphr ase <st r i ng>
set power _l evel <dBm>
set r adi us- ser ver <r adi us_name>
set r t s_t hr eshol d 
set secur i t y <sec_mode>
set ssi d <ssi d_st r i ng>
end
band
{802. 11a | 802. 11b | 802. 11g}
Enter the wireless band to use. (FortiWiFi-60A only) 802. 11g
beacon_i nt er val Set the interval between beacon packets. Access Points
broadcast Beacons or Traffic Indication Messages (TIM) to
synchronize wireless networks. In an environment with
high interference, decreasing the Beacon Interval might
improve network performance. In a location with few
wireless nodes, you can increase this value.
100
br oadcast _ssi d
Enable if you want FortiWiFi-60 to broadcast its SSID.
For the FortiWiFi-60A unit, see wi f i - br oadcast - ssi d
in the syst emi nt er f ace command.
di sabl e
channel <channel _number > Select a channel number for your FortiWiFi-60 wireless
network.
Users who want to use the wireless network should
configure their computers to use this channel for wireless
networking.
5
f r agment _t hr eshol d <byt es> Set the maximum size of a data packet before it is broken
into two or more packets. Reducing the threshold can
improve performance in environments that have high
interference.
Range 800-2346.
For the FortiWiFi-60A unit, see wifi-fragment_threshold
<packet_size>in the syst emi nt er f ace command.
2346
geogr aphy <r egi on> Select the country or region in which this FortiWifi-60 will
operate:
Americas
EMEA
Israel
J apan
World
Wor l d
system wireless settings
01-30005-0015-20070803 407
Example
This example shows how to configure the wireless interface.
conf i g syst emwi r el ess set t i ngs
set channel 4
set geogr aphy Amer i cas
set secur i t y WEP128
key <WEP- key_hex> Enter a WEP key. The WEP key must be 10 or 26
hexadecimal digits (0-9 a-f). For a 64-bit WEP key, enter
10 hexadecimal digits. For a 128-bit WEP key, enter 26
hexadecimal digits.
This is available in AP mode only when secur i t y is set to
WEP128 or WEP64.
For the FortiWiFi-60A unit, see wifi-key <hex_key>in the
syst emi nt er f ace command.
No default.
mode <opmode> Enter the operation mode for the wireless interface:
Access Point (AP)
Multiple wireless clients can connect to unit.
Client
Connect to another wireless network as a client.
AP
passphr ase <st r i ng> Enter shared key for WPA_PSK security.
secur i t y must be set to WPA_PSK.
For the FortiWiFi-60A unit, see wifi-passphrase <pass_str>
No default.
power _l evel <dBm> Set transmitter power level in dBm.
Range 0 to 31.
31
r adi us- ser ver <r adi us_name> Set RADIUS server name for WPA_RADIUS security.
This is only available in AP mode when secur i t y is set to
WPA_RADI US.
For the FortiWiFi-60A unit, see wifi-radius-server
<server_name>in the syst emi nt er f ace command.
No default.
r t s_t hr eshol d The Request to Send (RTS) threshold sets the time the
unit waits for Clear to Send (CTS) acknowledgement from
another wireless device. Range 256-2347.
For the FortiWiFi-60A unit, see wifi-rts_threshold <integer>
2347
secur i t y <sec_mode> Enter security (encryption) mode:
None - Communication is not encrypted.
WEP64 - WEP 64-bit encryption
WEP128 - WEP 128-bit encryption
WPA_PSK - WPA encryption with pre-shared key
WPA_RADIUS - WPA encryption via RADIUS server.
For the FortiWiFi-60A unit, see wifi-security <sec_mode>
None
ssi d <ssi d_st r i ng> Change the Service Set ID (SSID) as required.
The SSID is the wireless network name that the FortiWiFi-
60 broadcasts. Users who wish to use the FortiWiFi-60
wireless network should configure their computers to
connect to the network that broadcasts this network name.
For the FortiWiFi-60A unit, see wifi-ssid <id_str>in the
syst emi nt er f ace command.
fortinet
408 01-30005-0015-20070803
wireless settings system
set ssi d t est _wi f i
end
Command history
Related topics
system interface
system vdom-link
FortiOS v2.80E Command changed from conf i g syst emwi r el ess wl an.
Keywords added: beacon_i nt er val , br oadcast _ssi d, f r agment _t hr eshol d,
passphr ase, power _l evel , r adi us_ser ver , r t s_t hr eshol d
system zone
01-30005-0015-20070803 409
zone
Use this command to add or edit zones.
In NAT/Route mode, you can group related interfaces or VLAN subinterfaces into zones. Grouping
interfaces and subinterfaces into zones simplifies policy creation. For example, if you have two
interfaces connected to the Internet, you can add both of these interfaces to the same zone. Then you
can configure policies for connections to and from this zone, rather than to and from each interface.
In Transparent mode you can group related VLAN subinterfaces into zones and add these zones to
virtual domains.
edi t <zone_name>
set i nt r azone {al l ow | deny}
end
Example
This example shows how to add a zone named Zone1, add the internal interface to it, and to deny
routing between different zones.
edi t Zone1
set i nt r azone deny
end
Command history
Related topics
system interface
edi t <zone_name> Enter the name of a new or existing zone.
i nt er f ace <name_st r > Add the specified interface to this zone. You cannot add an
interface if it belongs to another zone or if firewall policies
are defined for it.
No default.
i nt r azone {al l ow | deny} Allow or deny traffic routing between different interfaces in
the same zone.
deny
FortiOS v2.80 MR2 i nt r azone now available on all models. All models support zones.
Added i nt er f ace keyword (was part of conf i g syst emi nt er f ace).
410 01-30005-0015-20070803
zone system
user
01-30005-0015-20070803 411
user
This chapter covers
configuration of the FortiGate unit to use external authentication servers, including
Windows Active Directory
configuration of user accounts and user groups for firewall policy authentication, administrator
authentication and some types of VPN authentication
configuration of peers and peer groups for IPSec VPN authentication and PKI user authentication
Configuring users for authentication
adgrp
fsae
group
ldap
local
peer
peergrp
radius
412 01-30005-0015-20070803
Configuring users for authentication user
Configuring users for authentication
This chapter covers two types of user configuration:
users authenticated by password
users, sites or computers (peers) authenticated by certificate
Configuring users for password authentication
You need to set up authentication in the following order:
1 If external authentication is needed, configure the required servers.
See user radius on page 428.
See user ldap on page 420.
For Windows Active Directory, see user fsae on page 414.
2 Configure local user identities.
For each user, you can choose whether the FortiGate unit or an external authentication server verifies
the password.
See user local on page 423.
3 Create user groups.
Add local users to each user group as appropriate. You can also add an authentication server to a user
group. In this case, all users in the servers database can authenticate to the FortiGate unit.
See user group on page 416.
For Windows Active Directory, also see user adgrp on page 413.
Configuring peers for certificate authentication
If your FortiGate unit will host IPSec VPNs that authenticate clients using certificates, you need to
prepare for certificate authentication as follows:
1 Import the CA certificates for clients who authenticate with a FortiGate unit VPN using certificates.
See vpn certificate ca on page 432.
2 Enter the certificate information for each VPN client (peer).
See user peer on page 425.
3 Create peer groups, if you have VPNs that authenticate by peer group. Assign the appropriate peers to
each peer group.
See user peergrp on page 427.
For detailed information about IPSec VPNs, see the FortiGate IPSec VPN Guide. For CLI-specific
information about VPN configuration, see the VPN chapter of this Reference.
user adgrp
01-30005-0015-20070803 413
adgrp
Use this command to list Active Directory user groups.
get user adgr p [ <adgr oupname>]
If you do not specify a group name, the command returns information for all Active Directory groups.
For example:
== [ DOCTEST/ Cer t Publ i sher s ]
name: DOCTEST/ Cer t Publ i sher s ser ver - name: ADser v1
== [ DOCTEST/ Devel oper s ]
name: DOCTEST/ Devel oper s ser ver - name: ADser v1
== [ DOCTEST/ Domai n Admi ns ]
name: DOCTEST/ Domai n Admi ns ser ver - name: ADser v1
== [ DOCTEST/ Domai n Comput er s ]
name: DOCTEST/ Domai n Comput er s ser ver - name: ADser v1
== [ DOCTEST/ Domai n Cont r ol l er s ]
name: DOCTEST/ Domai n Cont r ol l er s ser ver - name: ADser v1
== [ DOCTEST/ Domai n Guest s ]
name: DOCTEST/ Domai n Guest s ser ver - name: ADser v1
== [ DOCTEST/ Domai n User s ]
name: DOCTEST/ Domai n User s ser ver - name: ADser v1
== [ DOCTEST/ Ent er pr i se Admi ns ]
name: DOCTEST/ Ent er pr i se Admi ns ser ver - name: ADser v1
== [ DOCTEST/ Gr oup Pol i cy Cr eat or Owner s ]
name: DOCTEST/ Gr oup Pol i cy Cr eat or Owner s ser ver - name: ADser v1
== [ DOCTEST/ Schema Admi ns ]
name: DOCTEST/ Schema Admi ns ser ver - name: ADser v1
If you specify an Active Directory group name, the command returns information for only that group.
For example:
name : DOCTEST/ Devel oper s
ser ver - name : ADser v1
The ser ver - name is the name you assigned to the Active Directory server when you configured it in
the user f sae command.
Command history
Related topics
user fsae
execute fsae refresh
FortiOS v3.0 New.
414 01-30005-0015-20070803
fsae user
fsae
Use this command to configure the FortiGate unit to receive user group information from a Windows
Active Directory server equipped with the Fortinet Server Authentication Extensions (FSAE). You can
specify up to five computers on which a FSAE collector agent is installed. The FortiGate unit uses
these collector agents in a redundant configuration. If the first agent fails, the FortiGate unit attempts to
connect to the next agent in the list.
You can add Windows user groups to Active Directory type user groups for authentication in firewall
policies.
conf i g user f sae
set passwor d <passwor d> passwor d2 <passwor d2> passwor d3 <passwor d3>
passwor d4 <passwor d4> passwor d5 <passwor d5>
set passwor d2 <passwor d2>
set por t <por t _number > <por t _number 2>
set por t <por t _number 2>
set ser ver <domai n> ser ver 2 <domai n2> ser ver 3 <domai n3> ser ver 4
<domai n4> ser ver 5 <domai n5>
set ser ver 2 <domai n2>
end
edi t <ser ver _name> Enter a name to identify the Windows AD server.
Enter a new name to create a new server definition or enter an
existing server name to edit that server definition.
No default.
passwor d <passwor d>
passwor d2 <passwor d2>
For each collector agent, enter the password. No default.
por t <por t _number >
<por t _number 2>
<por t _number 3>
<por t _number 4>
<por t _number 5>
For each collector agent, enter the port number used for
communication with FortiGate units.
8000
ser ver <domai n>
ser ver 2 <domai n2>
Enter the domain name or IP address for up to five collector
agents.
No default.
user fsae
01-30005-0015-20070803 415
Command history
Related topics
user group
execute fsae refresh
FortiOS v3.0 New.
416 01-30005-0015-20070803
group user
group
Use this command to add or edit user groups.
There are three types of user groups:
To enable authentication, you must add user names, RADIUS servers and LDAP servers to one or
more user groups. You can then select a user group when you require authentication. You can select a
user group to configure authentication for:
Firewall policies that require authentication
Only users in the selected user group or users that can authenticate with the RADIUS or LDAP
servers added to the user group can authenticate with these policies.
SSL-VPN configurations
IPSec VPN Phase 1 configurations for dialup users
Only users in the selected user group can authenticate to use the VPN tunnel.
XAuth for IPSec VPN Phase 1 configurations
Only users in the selected user group can be authenticated using XAuth.
FortiGate PPTP and L2TP configurations
Only users in the selected user group can use the PPTP or L2TP configuration.
Administrator login with RADIUS authentication
If you use a user group for administrator authentication, it must contain only RADIUS servers.
FortiGuard Web Filtering override groups
When FortiGuard Web Filtering blocks a web page, authorized users can authenticate to access
the web page or to allow members of another group to access it.
When you add user names, RADIUS servers, and LDAP servers to a user group, the order in which
they are added determines the order in which the FortiGate unit checks for authentication. If user
names are first, then the FortiGate unit checks first for a match with the local user names. If a match is
not found, the FortiGate unit checks the RADIUS or LDAP server. If a RADIUS or LDAP server is
added first, the FortiGate unit checks the server and then the local user names.
Firewall user group Provides access to firewall policies that require authentication. A firewall policy
specifies the user groups that are allowed to use the policy. Members of a firewall
user group can be local users defined in user l ocal , peer members defined in
user peer , or accounts on RADIUS or LDAP servers configured in user
r adi us or user l dap. Users must provide a user name and password to use
the firewall policy.
SSL-VPN user group Provides access to the FortiGate SSL-VPN tunnel and SSL-VPN web
applications. Members of an SSL-VPN user group can be local users defined in
user l ocal or accounts on RADIUS or LDAP servers configured in user
r adi us or user l dap. Users authenticate using their VPN client or through
the SSL-VPN web portal login page.
Active Directory user group Provides access to firewall policies that require authentication. Members of an
Active Directory user group are members of selected Active Directory user
groups on Active Directory servers configured in user f sae. Users are
authenticated when they log on to their Windows domain and are not required to
authenticate again to use FortiGate firewall policies.
Note: User groups can utilize defined peer members as part of a group.
user group
01-30005-0015-20070803 417
edi t <gr oupname>
set aut ht i meout <t i meout >
set gr oup- t ype <gr p_t ype>
set member <names>
set pr of i l e <pr of i l ename>
set f t gd- wf - ovr d {al l ow | deny}
set f t gd- wf - ovr d- dur <###d##h##m>
set f t gd- wf - ovr d- dur - mode <mode>
set f t gd- wf - ovr d- ext <opt i on>
set f t gd- wf - ovr d- scope <scope>
set f t gd- wf - ovr d- t ype <o_t ype>
set r edi r - ur l <ur l _st r i ng>
set ssl vpn- cache- cl eaner {enabl e | di sabl e}
set ssl vpn- cl i ent - check {3r dAV | 3r dFW| f or t i cl i ent }
set ssl vpn- por t al - headi ng <web_por t al _st r i ng>
set ssl vpn- t unnel {enabl e | di sabl e}
set ssl vpn- t unnel - st ar t i p 
set ssl vpn- t unnel - endi p 
set ssl vpn- spl i t - t unnel i ng {enabl e | di sabl e}
set ssl vpn- webapp {enabl e | di sabl e}
set ssl vpn- f t p {enabl e | di sabl e}
set ssl vpn- ht t p {enabl e | di sabl e}
set ssl vpn- samba {enabl e | di sabl e}
set ssl vpn- t el net {enabl e | di sabl e}
set ssl vpn- vnc {enabl e | di sabl e}
set ssl vpn- r dp {enabl e | di sabl e}
end
edi t <gr oupname> Enter a new name to create a new group or enter an
existing group name to edit that group.
No default.
gr oup- t ype <gr p_t ype> Enter the group type. <gr p_t ype>determines the type
of users and is one of the following:
act i ve- di r ect or y - Active Directory users
f i r ewal l - FortiGate users defined in user local,
user ldap or user radius
ssl vpn - SSL-VPN users
f i r ewal l
member <names> Enter the names of users, peers, LDAP servers, or
RADIUS servers to add to the user group. Separate
names by spaces. To add or remove names from the
group you must re-enter the whole list with the additions
or deletions required.
No default.
pr of i l e <pr of i l ename> Enter the name of the firewall protection profile to
associate with this user group.
No default.
aut ht i meout <t i meout > Enter the value in seconds of an authentication timeout
for the user group. If not set, global authentication
timeout value used. 0 - 480 minutes.
0
FortiGuard override variables
f t gd- wf - ovr d {al l ow | deny} Allow or deny this group FortiGuard Web Filtering
overrides.
deny
f t gd- wf - ovr d- dur <###d##h##m> Enter the FortiGuard Web Filtering override duration in
days, hours, and minutes.
15m
418 01-30005-0015-20070803
group user
f t gd- wf - ovr d- dur - mode <mode> Enter the FortiGuard Web Filtering duration type, one of:
const ant - as specified in f t gd- wf - ovr d- dur
ask - ask for duration when initiating override.
f t gd- wf - ovr d- dur is the maximum
const ant
f t gd- wf - ovr d- ext <opt i on> Enter one of the following to determine whether users
can follow links to external sites during FortiGuard Web
Filtering override:
al l ow
deny
ask
al l ow
f t gd- wf - ovr d- scope <scope> Enter the scope of the FortiGuard Web Filtering override,
one of:
user - override for the user
user - gr oup - override for the user's group
i p - override for the initiating IP
pr of i l e - override for the user's protection profile
ask - ask for scope when initiating an override
user
f t gd- wf - ovr d- t ype <o_t ype> Enter the type of FortiGuard Web Filtering override, one
of:
di r - override for the specific website directory
domai n - override for the specific domain
r at i ng - override for the specific rating
ask - ask for type when initiating an override
di r
SSLVPN variables
r edi r - ur l <ur l _st r i ng> Enter the URL for an optional second browser window to
open when the SSL VPN web portal page opens. The
web server for this URL must reside on the private
network behind the FortiGate unit.
No default.
ssl vpn- cache- cl eaner
Enable to remove all temporary Internet files created on
the client computer between user login and logout. This
is done with a downloaded ActiveX control and works
only on Internet Explorer.
di sabl e
ssl vpn- cl i ent - check
{3r dAV | 3r dFW| f or t i cl i ent }
Allow the client to connect only if it has security software
installed. Enter one of:
3rdAV - check for Norton (Symantec) or McAfee
antivirus software (for systems other than Windows XP
SP2), or Trend Micro, Sophos, Panda Platinum 2006
Internet Security, F-Secure, Secure Resolutions, Cat
Computer Services, or Ahnlab antivirus software for
Windows XP SP2
3rdFW - check for Norton (Symantec) or McAfee
antivirus software (for systems other than Windows XP
SP2), or Trend Micro, Panda Platinum 2006 Internet
Security, F-Secure, Secure Resolutions, Cat Computer
Services, or Ahnlab firewall software for Windows XP
SP2
forticlient - check for FortiClient software
No default.
ssl vpn- por t al - headi ng
<web_por t al _st r i ng>
Type a custom caption for display at the top of the web
portal home page for the SSL VPN user group.
No default.
ssl vpn- t unnel
Enable or disable SSL-VPN tunnel access for this group.
Not available in Transparent mode.
di sabl e
ssl vpn- t unnel - st ar t i p Enter the first IP address of the IP address range
reserved for SSL-VPN clients.
No default.
ssl vpn- t unnel - endi p Enter the last IP address of the IP address range
reserved for SSL-VPN clients.
No default.
ssl vpn- spl i t - t unnel i ng
Enable or disable the split tunneling feature for this
group.
di sabl e
user group
01-30005-0015-20070803 419
Example
This example shows how to add a group named User_Grp_1, and add User_2, User_3, Radius_2 and
LDAP_1 as members of the group, and set the protection profile to strict:
edi t User _Gr p_1
set member User _2 User _3 Radi us_2 LDAP_1
set pr of i l e st r i ct
end
Command history
Related topics
user ldap
user local
user radius
ssl vpn- webapp
Enable or disable access to web applications for this
group.
di sabl e
ssl vpn- f t p
Enable or disable access to the FTP web application.
This option is available only if ssl vpn- webapp is
enabled.
di sabl e
ssl vpn- ht t p
Enable or disable access to the HTTP/HTTPS proxy web
application. This option is available only if
ssl vpn- webapp is enabled.
di sabl e
ssl vpn- samba
Enable or disable access to the Samba web application.
enabled. Not available in Transparent mode.
di sabl e
ssl vpn- t el net
Enable or disable access to the Telnet web
application. This option is available only if
ssl vpn- webapp is enabled. Not available in
Transparent mode.
di sabl e
ssl vpn- vnc
Enable or disable access to the VNC web application.
di sabl e
ssl vpn- r dp
Enable or disable access to the RDP web application.
di sabl e
FortiOS v2.80 MR3 Added pr of i l e keyword.
FortiOS v3.00 MR2 Expanded definition of ssl vpn- cl i ent - check.
Added keyword/variable ssl vpn- spl i t - t unnel i ng
Added keyword/variable ssl vpn- por t al - headi ng
<web_por t al _st r i ng>.
FortiOS v3.00 MR3 Added keyword/variable aut ht i meout . Added keywor d/ var i abl es
ssl vpn- vnc and ssl vpn- r dp.
FortiOS v3.00 MR4 Peer members can be included in user groups.
420 01-30005-0015-20070803
ldap user
ldap
Use this command to add or edit the definition of an LDAP server for user authentication.
To authenticate with the FortiGate unit, the user enters a user name and password. The FortiGate unit
sends this user name and password to the LDAP server. If the LDAP server can authenticate the user,
the user is successfully authenticated with the FortiGate unit. If the LDAP server cannot authenticate
the user, the connection is refused by the FortiGate unit.
The FortiGate unit supports LDAP protocol functionality defined in RFC2251 for looking up and
validating user names and passwords. FortiGate LDAP supports all LDAP servers compliant with
LDAP v3.
FortiGate LDAP support does not extend to proprietary functionality, such as notification of password
expiration, that is available from some LDAP servers. FortiGate LDAP support does not supply
information to the user about why authentication failed.
LDAP user authentication is supported for PPTP, L2TP, IPSec VPN, and firewall authentication. With
PPTP, L2TP, and IPSec VPN, PAP (Packet Authentication Protocol) is supported and CHAP
(Challenge Handshake Authentication Protocol) is not.
conf i g user l dap
set cni d 
set dn <dname>
set por t <number >
set ser ver <domai n>
set t ype <aut h_t ype>
set user name <l dap_user name>
set passwor d <l dap_passwd>
set gr oup <gr oup>
set f i l t er <gr oup_f i l t er >
set secur e <aut h_por t >
set ca- cer t <cer t _name>
end
cni d Enter the common name identifier for the LDAP server.
The common name identifier for most LDAP servers is cn.
However some servers use other common name identifiers
such as uid.
cn
dn <dname> Enter the distinguished name used to look up entries on the
LDAP server. It reflects the hierarchy of LDAP database object
classes above the Common Name Identifier. The FortiGate unit
passes this distinguished name unchanged to the server.
You must provide a dn value if t ype is si mpl e.
No default.
edi t <ser ver _name> Enter a name to identify the LDAP server.
No default.
por t <number > Enter the port number for communication with the LDAP server. 389
ser ver <domai n> Enter the LDAP server domain name or IP address. No default.
user ldap
01-30005-0015-20070803 421
Example
This example shows how to add an LDAP server called LDAP1 using the IP address 23. 64. 67. 44,
the default port, the common name cn, and the distinguished names
ou=mar ket i ng, dc=f or t i net , dc=comfor simple authentication.
conf i g user l dap
edi t LDAP1
set ser ver 23. 64. 67. 44
set cni d cn
set dn ou=mar ket i ng, dc=f or t i net , dc=com
end
This example shows how to change the distinguished name in the example above to
ou=account s, ou=mar ket i ng, dc=f or t i net , dc=com.
conf i g user l dap
edi t LDAP1
set dn ou=account s, ou=mar ket i ng, dc=f or t i net , dc=com
end
t ype <aut h_t ype> Enter the authentication type for LDAP searches. One of:
anonymous - bind using anonymous user search
r egul ar - bind using username/password and then search
si mpl e - simple password authentication without search
You can use si mpl e authentication if the user records are all
under one dn that you know. If the users are under more than
one dn, use the anonymous or r egul ar type, which can
search the entire LDAP database for the required user name.
If your LDAP server requires authentication to perform
searches, use the r egul ar type and provide values for
user name and passwor d.
si mpl e
user name <l dap_user name> This keyword is available only if t ype is r egul ar . For
r egul ar authentication, you need a user name and password.
See your server administrator for more information.
No default.
passwor d <l dap_passwd> This keyword is available only if t ype is r egul ar . For
r egul ar authentication, you need a user name and password.
See your server administrator for more information.
No default.
gr oup <gr oup> This keyword is available when the LDAP server must
authenticate that a user is a member of this group on the LDAP
server.
No default.
f i l t er <gr oup_f i l t er > Enter the name of the filter for group searches. The search for
the group on the LDAP server is done with the following default
filter configuration:
( &( obj ect cat egor y=gr oup) ( member =*) )
secur e <aut h_por t >
{di sabl e | st ar t t l s |
l daps}
Select the port to be used in authentication.
di sabl e - port 389
l daps - port 636
st ar t t l s - port 389
di sabl e
ca- cer t <cer t _name> This keyword is available when secur e is set to l daps or
st ar t t l s. User authentication will take place via a CA
certificate. The CA certificate will be used by the LDAP library
to validate the public certificate provided by the LDAP server.
nul l
422 01-30005-0015-20070803
ldap user
Command history
Related topics
user group
user local
user radius
FortiOS v3.00 MR2 Added key word/variable gr oup <gr oup>.
FortiOS v3.00 MR3 Added keywords f i l t er , secur e, ca- cer t .
user local
01-30005-0015-20070803 423
local
Use this command to add local user names and configure user authentication for the FortiGate unit. To
add authentication by LDAP or RADIUS server you must first add servers using the conf i g user
l dap and conf i g user r adi us commands.
edi t <user name>
set l dap- ser ver <ser ver name>
set passwd <passwor d_st r >
set r adi us- ser ver <ser ver name>
set t ype <aut h- t ype>
end
Example
This example shows how to add and enable a local user called Admin7 for authentication using the
RADIUS server RAD1.
edi t Admi n7
set t ype r adi us
set r adi us- ser ver RAD1
end
edi t <user name> Enter the user name. Enter a new name to create a new user
account or enter an existing user name to edit that account.
l dap- ser ver <ser ver name> Enter the name of the LDAP server with which the user must
authenticate. You can only select an LDAP server that has
been added to the list of LDAP servers. See ldap on
page 420.
This is available when t ype is set to l dap.
No default.
passwd <passwor d_st r > Enter the password with which the user must authenticate.
Passwords at least 6 characters long provide better security
than shorter passwords.
This is available when t ype is set to passwor d.
No default.
r adi us- ser ver
<ser ver name>
Enter the name of the RADIUS server with which the user must
authenticate. You can only select a RADIUS server that has
been added to the list of RADIUS servers. See radius on
page 428.
This is available when t ype is set to r adi us.
No default.
st at us {enabl e | di sabl e} Enter enabl e to allow the local user to authenticate with the
FortiGate unit.
enabl e
t ype <aut h- t ype> Enter one of the following to specify how this users password is
verified:
No default.
ldap The LDAP server specified in
l dap- ser ver verifies the password.
password The FortiGate unit verifies the password
against the value of passwd.
radius The RADIUS server specified in
r adi us- ser ver verifies the password.
424 01-30005-0015-20070803
local user
This example shows how to change the authentication method for the user Admin7 to password and
enter the password.
edi t Admi n7
set t ype passwor d
set passwd abc123
end
Command history
Related topics
user group
user ldap
user radius
FortiOS v2.80 MR2 Removed t r y_ot her keyword.
user peer
01-30005-0015-20070803 425
peer
Use this command to add or edit peer (digital certificate holder) information. You use the peers you
define here in the conf i g vpn i psec phase1 command if you specify peer t ype as peer . Also,
you can add these peers to peer groups you define in the conf i g user peer gr p command.
For PKI user authentication, you can add or edit peer information and configure use of LDAP server to
check access rights for client certificates.
This command refers to certificates imported into the FortiGate unit. You import CA certificates using
the vpn cer t i f i cat e ca command. You import local certificates using the vpn cer t i f i cat e
l ocal command.
conf i g user peer
edi t <peer _name>
set ca <ca_name>
set cn <cn_name>
set cn- t ype <t ype>
set l dap- passwor d <l dap_passwor d>
set l dap- ser ver <l dap_ser ver >
set l dap- user name <l dap_user >
set subj ect <const r ai nt s>
end
Example
This example shows how to add the br anch_of f i ce peer.
Configure the peer using the CA certificate name and peer information:
ca <ca_name> Enter the CA certificate name, as returned by execut e vpn
cer t i f i cat e ca l i st .
No default.
cn <cn_name> Enter the peer certificate common name. No default.
cn- t ype <t ype> Enter the peer certificate common name type: st r i ng
FQDN Fully-qualified domain name.
emai l The users email address.
i pv4 The users IP address (IPv4).
i pv6 The users IP address (IPv6).
st r i ng Any other piece of information.
edi t <peer _name> Enter the peer name. Enter a new name to create a new peer or
enter an existing peer name to edit that peers information.
No default.
l dap- passwor d
<l dap_passwor d>
Enter the login password for the LDAP server used to perform
client access rights check for the defined peer.
No default.
l dap- ser ver
<l dap_ser ver >
Enter the name of one of the LDAP servers defined under config
user ldap used to perform client access rights check for the defined
peer.
nul l
l dap- user name
<l dap_user >
Enter the login name for the LDAP server used to perform client
access rights check for the defined peer.
nul l
subj ect <const r ai nt s> Optionally, enter any of the peer certificate name constraints. No default.
426 01-30005-0015-20070803
peer user
conf i g user peer
edi t br anch_of f i ce
set ca CA_Cer t _1
set cn our addr ess@exampl e2. com
set cn- t ype emai l
end
Command history
Related topics
user peergrp
vpn ipsec phase1
vpn certificate ca
vpn certificate local
FortiOS v3.0 MR4 Addition of l dap- passwor d, l dap- ser ver , l dap- user name for use
of LDAP servers for PKI user authentication.
FortiOS v3.0 MR5 Addition of cn- t ype <t ype> i pv6 for authentication of IPv6 IPSec.
user peergrp
01-30005-0015-20070803 427
peergrp
Use this command to add or edit a peer group. Peers are digital certificate holders defined using the
conf i g user peer command. You use the peer groups you define here in the conf i g vpn i psec
phase1 command if you specify peer t ype as peer gr p.
For PKI user authentication, you can add or edit peer group member information. User groups that use
PKI authentication can also be configured using conf i g user gr oup.
edi t <gr oupname>
set member <peer _names>
end
Example
This example shows how to add peers to the peergrp EU_br anches.
edi t EU_br anches
set member Sophi a_br anch Val enci a_br anch Car di f f _br anch
end
Command history
Related topics
user peer
vpn ipsec phase1
vpn l2tp
vpn pptp
edi t <gr oupname> Enter a new name to create a new peer group or enter an
existing group name to edit that group.
member <peer _names> Enter the names of peers to add to the peer group. Separate
names by spaces. To add or remove names from the group you
must re-enter the whole list with the additions or deletions
required.
No default.
428 01-30005-0015-20070803
radius user
radius
Use this command to add or edit the information used for RADIUS authentication.
The default port for RADIUS traffic is 1812. If your RADIUS server is using a different port you can
change the default RADIUS port. See system global, set radius-port <radius_port> on page 331.
The RADIUS server is now provided with more information to make authentication decisions, based on
values in ser ver , use- management - vdom, use- gr oup- f or - pr of i l e, and nas- i p.
Attributes include:
NAS- I P- Addr ess - RADIUS setting or IP address of FortiGate interface used to talk to RADIUS
server, if not configured
NAS- Por t - physical interface number of the traffic that triggered the authentication
Cal l ed- St at i on- I D - same value as NAS-IP Address but in text format
For t i net - Vdom- Name - name of VDOLM of the traffic that triggered the authentication
NAS- I dent i f i er - configured hostname in non-HA mode; HA cluster group name in HA mode
Acct - Sessi on- I D - unique ID identifying the authentication session
Connect - I nf o - identifies the service for which the authentication is being performed (web-auth,
vpn-ipsec, vpn-pptp, vpn-l2tp, vpn-ssl, admin-login, test)
set al l - user gr oup {enabl e | di sabl e}
set nas- i p <use_i p>
set secondar y- secr et <sec_ser ver _passwor d>
set secondar y- ser ver <sec_ser ver _domai n>
set secr et <ser ver _passwor d>
set ser ver <domai n>
set use- gr oup- f or - pr of i l e {enabl e | di sabl e}
set use- management - vdom{enabl e | di sabl e}
end
edi t <ser ver _name> Enter a name to identify the RADIUS server.
al l - user gr oup {enabl e |
di sabl e}
Enable to automatically include this RADIUS server in all user
groups.
di sabl e
nas- i p <use_i p> IP address used as NAS- I P- Addr ess and
Cal l ed- St at i on- I D attribute in RADIUS access requests.
RADIUS setting or IP address of FGT interface used to talk with
RADIUS server, if not configured.
No default.
secondar y- secr et
<sec_ser ver _passwor d>
Enter the secondary RADIUS server shared secret. No default.
secondar y- ser ver
<sec_ser ver _domai n>
Enter the secondary RADIUS server domain name or IP
address.
No default.
secr et <ser ver _passwor d> Enter the RADIUS server shared secret. No default.
ser ver <domai n> Enter the RADIUS server domain name or IP address. No default.
user radius
01-30005-0015-20070803 429
Example
This example shows how to add the radius server RAD1 at the IP address 206. 205. 204. 203 and set
the shared secret as R1a2D3i 4U5s.
edi t RAD1
set secr et R1a2D3i 4U5s
set ser ver 206. 205. 204. 203
end
Command history
Related topics
user group
user ldap
user local
system global, set radius-port <radius_port>
use- management - vdom
Enable to use the management VDOM to send all RADIUS
requests.
di sabl e
use- gr oup- f or - pr of i l e
Enable to use RADIUS group attribute to select the protection
profile.
di sabl e
FortiOS v3.0 MR3 Added use- management - vdom, use- gr oup- f or - pr of i l e,
nas- i p. Description of additional authentication attributes.
FortiOS v3.0 MR4 Added secondar y- ser ver and secondar y- secr et .
FortiOS v3.0 MR5 Added al l - user gr oup.
430 01-30005-0015-20070803
radius user
vpn
01-30005-0015-20070803 431
vpn
Use vpn commands to configure options related to virtual private networking through the FortiGate
unit, including:
IPSec operating parameters
a local address range for PPTP or L2TP clients
SSL VPN configuration settings
certificate ca
certificate crl
certificate local
certificate ocsp
certificate remote
ipsec concentrator
ipsec forticlient
ipsec manualkey
ipsec manualkey-interface
ipsec phase1
ipsec phase1-interface
ipsec phase2
l2tp
pptp
ssl monitor
ssl settings
ssl web bookmarks
ssl web bookmarks-group
ssl web favorite
432 01-30005-0015-20070803
certificate ca vpn
certificate ca
Use this command to install Certificate Authority (CA) root certificates.
When a CA processes your Certificate Signing Request (CSR), it sends you the CA certificate, the
signed local certificate and the Certificate Revocation List (CRL).
The process for obtaining and installing certificates is as follows:
1 Use the execut e vpn cer t i f i cat e l ocal command to generate a CSR.
2 Send the CSR to a CA.
The CA sends you the CA certificate, the signed local certificate and the CRL.
3 Use the vpn cer t i f i cat e l ocal command to install the signed local certificate.
4 Use the vpn cer t i f i cat e ca command to install the CA certificate.
5 Use the vpn cer t i f i cat e cr l command to install the CRL.
Depending on your terminal software, you can copy the certificate and paste it into the command.
Command syntax
conf i g vpn cer t i f i cat e ca
edi t <ca_name>
set ca <cer t >
end
To view all of the information about the certificate, use the get command:
get vpn cer t i f i cat e ca <ca_name>
Command history
Related topics
vpn certificate crl
vpn certificate ocsp
vpn certificate remote
execute vpn certificate ca
<keyword> Description
edi t <ca_name> Enter a name for the CA certificate.
ca <cer t > Enter or retrieve the CA certificate in PEM format.
FortiOS v3.0 New.
vpn certificate crl
01-30005-0015-20070803 433
certificate crl
Use this command to install a Certificate Revocation List (CRL).
The CRL now updates automatically from a remove server.
Command syntax
conf i g vpn cer t i f i cat e cr l
edi t <cr l _name>
set cr l <cr l _PEM>
set l dap- ser ver <l dap_ser ver _name>
set l dap- user name <l dap_user name>
set l dap- passwor d <l dap_passwor d>
set scep- cer t <scep_cer t i f i cat e>
set scep- ur l <scep_ur l >
set updat e- vdom<updat e_vdom>
set ht t p- ur l <ht t p_ur l >
end
edi t <cr l _name> Enter a name for the Certificate Revocation List (CRL).
cr l <cr l _PEM> Enter the CRL in PEM format.
l dap- ser ver
<l dap_ser ver _name>
Name of the LDAP server defined in config user ldap table for CRL auto-update.
l dap- user name
<l dap_user name>
LDAP login name.
l dap- passwor d
<l dap_passwor d>
LDAP login password.
scep- cer t
<scep_cer t i f i cat e>
Local certificate used for SCEP communication for CRL auto-update.
scep- ur l
<scep_ur l >
URL of the SCEP server used for automatic CRL certificate updates. Start with http://.
updat e- vdom
<updat e_vdom>
VDOM used to communicate with remote SCEP server for CRL auto-update.
ht t p- ur l
<ht t p_ur l >
URL of an http server used for automatic CRL certificate updates. Start with http://.
434 01-30005-0015-20070803
certificate crl vpn
Command history
Related topics
vpn certificate ca
execute vpn certificate crl
FortiOS v3.0 New.
FortiOS v3.0 MR4 Added variables for use with certificate authentication (automatic CRL updates).
01-30005-0015-20070803 435
certificate local
Use this command to install local certificates.
Command syntax
conf i g vpn cer t i f i cat e l ocal
edi t <cer t _name>
set passwor d <pwd>
set pr i vat e- key <pr key>
set cer t i f i cat e <cer t _PEM>
set csr <csr _PEM>
end
get vpn cer t i f i cat e l ocal [ cer t _name]
Command history
Related topics
vpn certificate ca
vpn certificate crl
execute vpn certificate local
edi t <cer t _name> Enter the local certificate name.
cer t i f i cat e <cer t _PEM> Enter the signed local certificate in PEM format.
You should not modify the following variables if you generated the CSR on this unit.
csr <csr _PEM> The CSR in PEM format.
passwor d <pwd> The password in PEM format.
pr i vat e- key <pr key> The private key in PEM format.
FortiOS v3.0 New.
436 01-30005-0015-20070803
certificate ocsp vpn
certificate ocsp
Use this command to install remote certificates. The remote certificates are public certificates without a
private key. They are used as OCSP (Online Certificate Status Protocol) server certificates.
Command syntax
conf i g vpn cer t i f i cat e ocsp
edi t cer t <cer t _name>
set ur l <ocsp_ur l >
set unavai l - act i on <unavai l abl e_act i on>
end
get vpn cer t i f i cat e ocsp [ cer t _name]
Command history
Related topics
vpn certificate ca
vpn certificate crl
execute vpn certificate remote
cer t <cer t _name> Enter the OCSP server public certificate (one of the remote certificates).
ur l <ocsp_ur l > Enter the URL of the OCSP server.
unavai l - act i on
<unavai l abl e_act i on>
Action taken on client certification when the OCSP server is unreachable.
r evoke or i gnor e. Default is r evoke.
01-30005-0015-20070803 437
certificate remote
Use this command to install remote certificates. The remote certificates are public certificates without a
Command syntax
conf i g vpn cer t i f i cat e r emot e
edi t cer t <cer t _name>
set r emot e <r emot e_cer t _det ai l >
end
get vpn cer t i f i cat e r emot e [ cer t _name]
Command history
Related topics
vpn certificate ca
vpn certificate crl
cer t <cer t _name> Enter the name of the public certificate.
r emot e
<r emot e_cer t _det ai l >
Details/description of the remote certificate.
438 01-30005-0015-20070803
ipsec concentrator vpn
ipsec concentrator
Use this command to add IPSec policy-based VPN tunnels to a VPN concentrator. The VPN
concentrator collects hub-and-spoke tunnels into a group.
The concentrator allows VPN traffic to pass from one tunnel to the other through the FortiGate unit.
The FortiGate unit functions as a concentrator, or hub, in a hub-and-spoke network.
conf i g vpn i psec concent r at or
edi t <concent r at or _name>
set member <member _name> [ <member _name>] [ <member _name>]
end
Example
Use the following commands to add an IPSec VPN concentrator named Concen_1 and add three
tunnels to the concentrator.
conf i g vpn i psec concent r at or
edi t Concen_1
set member Tunnel _1 Tunnel _2 Tunnel _3
end
Command history
Related topics
vpn ipsec phase1
vpn ipsec manualkey
Note: VPN concentrators are not available in Transparent mode.
Note: The member keyword is required.
edi t <concent r at or _name> Enter a name for the concentrator. No default.
member <member _name>
[ member _name]
[ member _name]
Enter the names of up to three VPN tunnels to add to the
concentrator. Separate the tunnel names with spaces.
Members can be tunnels defined in vpn i psec phase1 or
vpn i psec manual - key.
To add or remove tunnels from the concentrator you must re-
enter the whole list with the required additions or deletions.
No default.
FortiOS v2.80 MR4 Method for adding concentrators changed.
FortiOS v3.0 Members must now be phase1 configurations, not phase2.
vpn ipsec forticlient
01-30005-0015-20070803 439
ipsec forticlient
Use this command to configure automatic VPN configuration for FortiClient Host Security application
users.
The FortiClient users who will use automatic configuration must be members of a user group. The
conf i g vpn i psec f or t i cl i ent command creates a realm that associates the user group with
the phase 2 VPN configuration. You can create multiple realms to associate different user groups with
different phase 2 configurations.
The user group identifies the user name and password settings that the dialup clients credentials must
match in order for authentication to be successful. The phase 2 tunnel definition and its associated
firewall encryption policy provides the configuration parameters to download to the FortiClient Host
Security application.
Set or unset VPN policy distribution parameters.
conf i g vpn i psec f or t i cl i ent
edi t <r eal m_name>
set phase2name <t unnel _name>
set user gr oupname <gr oup_name>
end
Example
The following example enables VPN policy distribution for a user group called Di al up_user s. The
phase 2 tunnel configuration named FG1t oDi al up_t unnel provides the FortiGate unit with the
information it needs to find and apply the associated firewall encryption policy:
conf i g vpn i psec f or t i cl i ent
edi t St andar d_VPN_pol i cy
set phase2name FG1t oDi al up_t unnel
set user gr oupname Di al up_user s
end
Command history
Related topics
vpn ipsec phase2
user group
edi t <r eal m_name> Enter a name for the FortiClient realm. This is also referred to
as the policy name.
No default.
phase2name <t unnel _name> Enter the name of the phase 2 tunnel configuration that you
defined as part of the dialup-client configuration.
Null.
st at us {di sabl e | enabl e} Enable or disable IPSec VPN policy distribution. enabl e
user gr oupname <gr oup_name> Enter the name of the user group that you created for dialup
clients. This group must already exist.
Null.
FortiOS v3.0 New.
440 01-30005-0015-20070803
ipsec manualkey vpn
ipsec manualkey
Use this command to configure manual keys for IPSec tunnel-mode VPN tunnels. You configure a
manual key tunnel to create an IPSec tunnel-mode VPN tunnel between the FortiGate unit and a
remote IPSec VPN client or gateway that is also using manual key.
A manual key VPN tunnel consists of a name for the tunnel, the IP address of the VPN gateway or
client at the opposite end of the tunnel, and the encryption and authentication algorithms to use for the
tunnel. Because the keys are created when you configure the tunnel, no negotiation is required for the
VPN tunnel to start. However, the VPN gateway or client that connects to this tunnel must use the
same encryption and authentication algorithms and must have the same encryption and authentication
keys.
conf i g vpn i psec manual key
set aut hent i cat i on <aut hent i cat i on_al gor t i hm>
set aut hkey <aut hent i cat i on_key>
set encr ypt i on <met hod>
set enckey <encr ypt i on_key>
set l ocal spi <l ocal _spi _number >
set l ocal - gw <addr ess_i pv4>
set r emot e- gw <addr ess_i pv4>
set r emot espi <r emot e_spi _number >
end
Note: The aut hent i cat i on, encr ypt i on, i nt er f ace, r emot e- gw, l ocal spi , and r emot espi keywords
are required. All other keywords are optional.
aut hent i cat i on
<aut hent i cat i on_al gor t i hm>
Enter one of the following authentication algorithms:
md5
nul l
sha1
Make sure you use the same algorithm at both ends of the
tunnel.
Note: encr ypt i on and aut hent i cat i on cannot both be
nul l .
nul l
aut hkey
<aut hent i cat i on_key>
md5 or sha1.
If aut hent i cat i on is md5, enter a 32 digit (16 byte)
hexadecimal number. Separate each 16 digit (8 byte)
hexadecimal segment with a hyphen.
If aut hent i cat i on is sha1, enter a 40 digit (20 byte)
hexadecimal number. Use a hyphen to separate the first
16 digits (8 bytes) from the remaining 24 digits (12 bytes).
Digits can be 0 to 9, and a to f.
Use the same authentication key at both ends of the tunnel.
-
(No default.)
vpn ipsec manualkey
01-30005-0015-20070803 441
Example
Use the following command to add an IPSec VPN manual key tunnel with the following characteristics:
Tunnel name: Manual _Tunnel
Local SPI: 1000f f
Remote SPI: 2000f f
Remote gateway IP address: 206. 37. 33. 45
encr ypt i on <met hod> Enter one of the following encryption algorithms:
3des
aes128
aes192
aes256
des
nul l
tunnel.
Note: encr ypt i on and aut hent i cat i on cannot both be
nul l .
nul l
enckey
<encr ypt i on_key>
This keyword is available when encryption is set to 3des,
aes128, aes192, aes256, or des. Enter the associated
encryption key:
If encr ypt i on is des, enter a 16 digit (8 byte)
hexadecimal number.
If encr ypt i on is 3des, enter a 48 digit (24 byte)
hexadecimal number.
If encr ypt i on is aes128, enter a 32 digit (16 byte)
hexadecimal number.
hexadecimal number.
hexadecimal number.
For all of the above, separate each 16 digit (8 byte)
Use the same encryption key at both ends of the tunnel.
-
(No default.)
i nt er f ace Enter the name of the physical, aggregate, or VLAN
interface to which the IPSec tunnel will be bound. The
FortiGate unit obtains the IP address of the interface from
system interface settings (see interface on page 346).
You cannot change i nt er f ace if a firewall policy
references this VPN.
Null.
l ocal spi
<l ocal _spi _number >
Local Security Parameter Index. Enter a hexadecimal
number of up to eight digits (digits can be 0 to 9, a to f) in the
range 0x100 to FFFFFFF. This number must be added to the
Remote SPI at the opposite end of the tunnel.
0x100
l ocal - gw <addr ess_i pv4> Optionally specify an IP address for the local end of the VPN
tunnel. The IP address will be assigned to the physical,
aggregate, or VLAN interface that is currently selected in
i nt er f ace. If you do not specify an IP address here, the
the system interface settings (see interface on page 346).
0. 0. 0. 0
r emot e- gw <addr ess_i pv4> The IP address of the remote gateway external interface. 0. 0. 0. 0
r emot espi
<r emot e_spi _number >
Remote Security Parameter Index. Enter a hexadecimal
number of up to eight digits in the range 0x100 to FFFFFFF.
This number must be added to the Local SPI at the opposite
end of the tunnel.
0x100
442 01-30005-0015-20070803
ipsec manualkey vpn
Encryption algorithm: 3DES
Encryption keys: 003f 2b01a9002f 3b 004f 4b0209003f 01 3b00f 23bf f 003ef f
Authentication algorithm: MD5
Authentication keys: f f 003f 012ba900bb 00f 402303f 0100f f
conf i g vpn i psec manual key
edi t Manual _Tunnel
set l ocal spi 1000f f
set r emot espi 2000f f
set r emot e- gw 206. 37. 33. 45
set encr ypt i on 3des
set enckey 003f 2b01a9002f 3b- 004f 4b0209003f 01- 3b00f 23bf f 003ef f
set aut hent i cat i on md5
set aut hkey f f 003f 012ba900bb- 00f 402303f 0100f f
end
Command history
Related topics
vpn ipsec phase2
FortiOS v2.80 Revised
FortiOS v2.80 MR3 concent r at or keyword available in NAT/Route mode only.
FortiOS v3.0 Removed concent r at or keyword. Renamed gat eway keyword to
r emot e- gw. Added i nt er f ace keyword.
FortiOS v3.0 MR3 Added l ocal - gwkeyword.
FortiOS v3.0 MR5 encr ypt i on and aut hent i cat i on cannot both be nul l .
vpn ipsec manualkey-interface
01-30005-0015-20070803 443
Use this command to configure manual keys for a route-based (interface mode) IPSec VPN tunnel.
When you create a route-based tunnel, the FortiGate unit creates a virtual IPSec interface
automatically. The interface can be modified afterward using the syst emnet wor k i nt er f ace CLI
command. This command is available only in NAT/Route mode.
conf i g vpn i psec manual key- i nt er f ace
set aut h- al g <aut hent i cat i on_al gor t i hm>
set aut h- key <aut hent i cat i on_key>
set enc- al g <met hod>
set enckey <encr ypt i on_key>
set i p- ver si on <4 | 6>
set l ocal - gw6 <addr ess_i pv6>
set l ocal - spi <l ocal _spi _number >
set r emot e- gw6 <addr ess_i pv6>
set r emot e- spi <r emot e_spi _number >
end
Note: The aut h- al g, enc- al g, i nt er f ace, r emot e- gw, l ocal - spi , and r emot e- spi keywords are
required. All other keywords are optional.
aut h- al g
<aut hent i cat i on_al gor t i hm>
Enter one of the following authentication algorithms:
md5
nul l
sha1
tunnel.
Note: enc- al g and aut h- al g cannot both be nul l .
nul l
aut h- key
<aut hent i cat i on_key>
This keyword is available when aut h- al g is set to md5 or
sha1.
If aut h- al g is md5, enter a 32 digit (16 byte) hexadecimal
number. Separate each 16 digit (8 byte) hexadecimal
segment with a hyphen.
If aut h- al g is sha1, enter a 40 digit (20 byte)
hexadecimal number. Use a hyphen to separate the first
16 digits (8 bytes) from the remaining 24 digits (12 bytes).
Use the same authentication key at both ends of the tunnel.
-
(No default.)
444 01-30005-0015-20070803
ipsec manualkey-interface vpn
Example
Use the following command to add a route-based (interface-mode) IPSec VPN tunnel having the
following characteristics:
Tunnel name: Manual - i nf _t unnel
Local SPI: 1000f f
enc- al g <met hod> Enter one of the following encryption algorithms:
3des
aes128
aes192
aes256
des
nul l
tunnel.
Note: enc- al g and aut h- al g cannot both be nul l .
nul l
enckey
<encr ypt i on_key>
This keyword is available when enc- al g is set to 3des,
aes128, aes192, aes256, or des. Enter the associated
encryption key:
If enc- al g is des, enter a 16 digit (8 byte) hexadecimal
number.
If enc- al g is 3des, enter a 48 digit (24 byte) hexadecimal
number.
If enc- al g is aes128, enter a 32 digit (16 byte)
hexadecimal number.
hexadecimal number.
hexadecimal number.
For all of the above, separate each 16 digit (8 byte)
Use the same encryption key at both ends of the tunnel.
-
(No default.)
i nt er f ace Enter the name of the physical, aggregate, or VLAN
interface to which the IPSec tunnel will be bound. The
Null.
i p- ver si on <4 | 6> Enter 4 for IPv4 encapsulation or 6 for IPv6 encapsulation. 4
l ocal - gw <addr ess_i pv4>
l ocal - gw6 <addr ess_i pv6>
By default, the FortiGate unit determines the local gateway
IP address from the i nt er f ace setting. Optionally, you can
specify a secondary IP address configured on the same
interface.
l ocal - gw6 is available when i p- ver si on is 6.
l ocal - gwis available when i p- ver si on is 4.
0. 0. 0. 0
for IPv4
: : for IPv6
l ocal - spi
<l ocal _spi _number >
Local Security Parameter Index. Enter a hexadecimal
number of up to eight digits (digits can be 0 to 9, a to f) in the
range 0x100 to FFFFFFF. This number must be added to the
Remote SPI at the opposite end of the tunnel.
0x100
r emot e- gw <addr ess_i pv4>
r emot e- gw6 <addr ess_i pv6>
The IP address of the remote gateway external interface.
r emot e- gw6 is available when i p- ver si on is 6.
r emot e- gwis available when i p- ver si on is 4.
0. 0. 0. 0
for IPv4
: : for IPv6
r emot e- spi
<r emot e_spi _number >
Remote Security Parameter Index. Enter a hexadecimal
number of up to eight digits in the range 0x100 to FFFFFFF.
This number must be added to the Local SPI at the opposite
end of the tunnel.
0x100
01-30005-0015-20070803 445
Remote SPI: 2000f f
VLAN interface name: vl an_1
Remote gateway IP address: 206. 37. 33. 45
Encryption algorithm: 3DES
Encryption keys: 003f 2b01a9002f 3b 004f 4b0209003f 01 3b00f 23bf f 003ef f
Authentication algorithm: MD5
Authentication keys: f f 003f 012ba900bb 00f 402303f 0100f f
conf i g vpn i psec- i nt f manual key- i nt er f ace
edi t Manual - i nf _t unnel
set aut h- al g md5
set aut h- key f f 003f 012ba900bb- 00f 402303f 0100f f
set enc- al g 3des
set enckey 003f 2b01a9002f 3b- 004f 4b0209003f 01- 3b00f 23bf f 003ef f
set i nt er f ace vl an_1
set l ocal - spi 1000f f
set r emot e- spi 2000f f
set r emot e- gw 206. 37. 33. 45
end
Command history
Related topics
vpn ipsec phase2-interface
FortiOS v3.0 New
FortiOS v3.0 MR5 enc- al g and aut h- al g cannot both be nul l
Added i p- ver si on, l ocal - gw6 and r emot e- gw6 keywords.
446 01-30005-0015-20070803
ipsec phase1 vpn
ipsec phase1
Use this command to add or edit IPSec tunnel-mode phase 1 configurations. When you add a tunnel-
mode phase 1 configuration, you define how the FortiGate unit and a remote VPN peer (gateway or
client) authenticate themselves to each other as part of establishing an IPSec VPN tunnel.
The phase 1 configuration specifies the name of a remote VPN peer, the nature of the connection
(static IP, dialup, or dynamic DNS), the encryption and authentication keys for the phase 1 proposal,
and the authentication method (preshared key or certificate). For authentication to be successful, the
FortiGate unit and the remote VPN peer must be configured with compatible phase 1 settings.
You can change all settings except the t ype setting after you define the configuration: if the address
type of a remote peer changes, you must delete the original phase 1 configuration and define a new
one. As a general rule, create only one phase 1 configuration per remote VPN peer.
set add- gw- r out e {enabl e | di sabl e}
set aut hmet hod <aut hent i cat i on_met hod>
set aut hpasswd <passwor d>
set aut husr <user _name>
set aut husr gr p <gr oup_name>
set dhgr p {1 2 5}
set dpd {di sabl e | enabl e}
set dpd- r et r ycount <r et r y_i nt eger >
set dpd- r et r yi nt er val <seconds> [ <mi l l i seconds>]
set keepal i ve <seconds>
set keyl i f e <seconds>
set l ocal i d <l ocal _i d>
set mode {aggr essi ve | mai n}
set nat t r aver sal {di sabl e | enabl e}
set peer <CA_cer t i f i cat e_name>
set peer i d <peer _i d>
set peer gr p <cer t i f i cat e_gr oup_name>
set peer t ype <aut hent i cat i on_met hod>
set pr oposal <encr ypt i on_combi nat i on>
set psksecr et <pr eshar ed_key>
set r emot egw- ddns <domai n_name>
set r sa- cer t i f i cat e <ser ver _cer t i f i cat e>
set t ype <r emot e_gw_t ype>
set usr gr p <gr oup_name>
set xaut ht ype <XAut h_t ype>
end
Note: In NAT/Route mode, the i nt er f ace keyword is required. A r emot e- gwvalue may be required
depending on the value of the t ype attribute. You must also enter a preshared key or a certificate name
depending on the value of aut hmet hod. All other keywords are optional.
vpn ipsec phase1
01-30005-0015-20070803 447
edi t <gat eway_name> Enter a name (maximum 35 characters) for this gateway. If
t ype is dynami c, the maximum name length is further
reduced depending on the number of dialup tunnels that can
be established: by 2 for up to 9 tunnels, by 3 for up to 99
tunnels, 4 for up to 999 tunnels, and so on.
No default.
add- gw- r out e
Enable to automatically add a route to the remote gateway
specified in r emot e- gw. This is effective only when
i nt er f ace is an interface that obtains its IP address by
DHCP or PPPoE. The route distance is specified in the
interface configuration. See system interface on page 346.
di sabl e
aut hmet hod
<aut hent i cat i on_met hod>
Specify the authentication method:
Enter psk to authenticate using a pre-shared key. Use
psksecr et to enter the pre-shared key.
Enter r sa- si gnat ur e to authenticate using a digital
certificate. Use set r sa- cer t i f i cat e to enter the name
of the digital certificate.
You must configure certificates before selecting r sa-
si gnat ur e here. For more information, see execute vpn
certificate local on page 567 and vpn certificate ca on
page 432.
psk
aut hpasswd <passwor d> This keyword is available when xaut ht ype is set to
cl i ent .
Enter the XAuth client password for the FortiGate unit.
No default.
aut husr <user _name> This keyword is available when xaut ht ype is set to
cl i ent .
Enter the XAuth client user name for the FortiGate unit.
Null.
aut husr gr p <gr oup_name> This keyword is available when xaut ht ype is set to aut o,
pap, or chap.
When the FortiGate unit is configured as an XAuth server,
enter the user group to authenticate remote VPN peers. The
user group can contain local users, LDAP servers, and
RADIUS servers. The user group must be added to the
FortiGate configuration before the group name can be cross-
referenced. For more information, see user group on
page 416, user ldap on page 420, user local on page 423,
and user radius on page 428.
Null.
dhgr p {1 2 5} Type 1, 2, and/or 5 to select one or more Diffie-Hellman
groups from DH group 1, 2, and 5 respectively.
When using aggressive mode, DH groups cannot be
negotiated.
If both VPN peers have static IP addresses and use
aggressive mode, enter a single DH Group. The setting on
the FortiGate unit must be identical to the setting on the
remote peer or client.
When the VPN peer or client has a dynamic IP address and
uses aggressive mode, enter up to three DH groups on the
FortiGate unit and one DH group on the remote peer or
dialup client. The setting on the remote peer or client must
be identical to one of the selections on the FortiGate unit.
If the VPN peer or client employs main mode, you can
select more than one DH group. At least one of the settings
on the remote peer or client must be identical to the
selections on the FortiGate unit.
5
di st ance Configure the administrative distance for routes added when
a dialup IPSec connection is established. Using
administrative distance you can specify the relative priorities
of different routes to the same destination. A lower
administrative distance indicates a more preferred route.
Distance can be an integer from 1-255. See also router static
distance <distance> on page 259.
1
448 01-30005-0015-20070803
ipsec phase1 vpn
dpd {di sabl e | enabl e} Enable or disable DPD (Dead Peer Detection). DPD detects
the status of the connection between VPN peers. Enabling
DPD facilitates cleaning up dead connections and
establishing new VPN tunnels. DPD is not supported by all
vendors and is not used unless DPD is supported and
enabled by both VPN peers.
di sabl e
dpd- r et r ycount
This keyword is available when dpd is set to enabl e.
The DPD retry count when dpd is set to enabl e. Set the
number of times that the local VPN peer sends a DPD probe
before it considers the link to be dead and tears down the
security association (SA). The dpd- r et r ycount range is 0
to 10.
To avoid false negatives due to congestion or other transient
failures, set the retry count to a sufficiently high value for your
network.
3
dpd- r et r yi nt er val
<seconds> [ <mi l l i seconds>]
The DPD (Dead Peer Detection) retry interval is the time that
the local VPN peer waits between sending DPD probes.
Set the time in seconds plus, optionally, milliseconds. For
example, for 2.5 seconds enter 2 500. The range is 1 to 60
seconds, 0 to 999 milliseconds.
When the tunnel is starting, or if it has failed, a retry interval of
5 seconds is used if dpd- r et r yi nt er val is less than 5
seconds.
5
i nt er f ace Enter the name of the physical, aggregate, or VLAN interface
to which the IPSec tunnel will be bound. The FortiGate unit
obtains the IP address of the interface from system interface
settings (see interface on page 346) unless you specify a
different IP address using the local-gw <address_ipv4>
attribute.
You cannot change i nt er f ace if a firewall policy references
this VPN.
Null.
keepal i ve <seconds> This keyword is available when nat t r aver sal is set to
enabl e.
Set the NAT traversal keepalive frequency. This number
specifies (in seconds) how frequently empty UDP packets are
sent through the NAT device to make sure that the NAT
mapping does not change until P1 and P2 security
associations expire. The keepalive frequency can be from 0
to 900 seconds.
5
keyl i f e <seconds> Set the keylife time. The keylife is the amount of time (in
seconds) before the phase 1 encryption key expires. When
the key expires, a new key is generated without interrupting
service. The range is 120 to 172,800 seconds.
28800
l ocal - gw <addr ess_i pv4> Optionally specify an IP address for the local end of the VPN
tunnel. The IP address will be assigned to the physical,
aggregate, or VLAN interface that is currently selected in
i nt er f ace. If you do not specify an IP address here, the
FortiGate unit obtains the IP address of the interface from the
0. 0. 0. 0
l ocal i d <l ocal _i d> Enter a local ID if the FortiGate unit is functioning as a VPN
client and will use the local ID for authentication purposes.
If you want to dedicate a tunnel to a FortiGate dialup client,
you must assign a unique identifier (local ID) to the FortiGate
client.
Whenever you configure a unique identifier (local ID) on a
FortiGate dialup client, you must enable aggressive mode on
the FortiGate dialup server and also specify the identifier as a
peer ID on the FortiGate dialup server.
Null.
vpn ipsec phase1
01-30005-0015-20070803 449
mode {aggr essi ve | mai n} Enter aggr essi ve or mai n (ID Protection) mode. Both
modes establish a secure channel.
In main mode, identifying information is hidden. Main mode is
typically used when both VPN peers have static IP
addresses.
In aggressive mode, identifying information is exchanged in
the clear.
When the remote VPN peer or client has a dynamic IP
address, or the remote VPN peer or client will be
authenticated using an identifier (local ID), you must select
Aggressive mode if there is more than one dialup phase 1
configuration for the interface IP address.
mai n
nat t r aver sal {di sabl e |
enabl e}
Enable NAT traversal if you expect the IPSec VPN traffic to
go through a gateway that performs NAT. If no NAT device is
detected, enabling NAT traversal has no effect. Both ends of
the VPN must have the same NAT traversal setting. If you
enable NAT traversal you can set the keepal i ve frequency.
di sabl e
peer <CA_cer t i f i cat e_name> This keyword is available when aut hmet hod is set to r sa-
si gnat ur e and peer t ype is set to peer .
Enter the name of the peer (CA) certificate that will be used to
authenticate remote VPN clients or peers. Use the command
conf i g user peer to add peer certificates. Peer
certificates must be added to the FortiGate configuration
before they can be cross-referenced. For more information,
see user peer on page 425.
Null.
peer i d <peer _i d> This keyword is available when peer t ype is set to one.
Enter the peer ID that will be used to authenticate remote
clients or peers by peer ID.
Null.
peer gr p
<cer t i f i cat e_gr oup_name>
This keyword is available when t ype is set to dynami c,
aut hmet hod is set to r sa- si gnat ur e, and peer t ype is
set to peer gr p.
Enter the name of the peer certificate group that will be used
to authenticate remote clients or peers. You must create the
peer certificate group before the group name can be cross-
referenced. For more information, see user peergrp on
page 427.
Null.
450 01-30005-0015-20070803
ipsec phase1 vpn
peer t ype
The following attributes are available under the following
conditions:
one is available when mode is set to aggr essi ve or when
aut hmet hod is set to r sa- si gnat ur e.
di al up is available when t ype is set to dynami c and
aut hmet hod is set to psk.
peer is available when aut hmet hod is set to r sa-
si gnat ur e.
peer gr p is available when t ype is set to dynami c and
Enter the method for authenticating remote clients or peers
when they connect to the FortiGate unit:
Type any to accept any remote client or peer (peer IDs are
not used for authentication purposes). The mode attribute
can be set to aggr essi ve or mai n.
You can use this option with RSA Signature authentication.
But, for highest security, you should configure a PKI
user/group for the peer and set Peer Options to Accept this
peer certificate only.
Type one to authenticate either a remote peer or client that
has a dynamic IP address and connects using a unique
identifier over a dedicated tunnel, or more than one dialup
client that connects through the same tunnel using the
same (shared) identifier. Use the peer i d keyword to set
the peer ID. If more than one dialup client will be connecting
using the same (shared) identifier, set mode to
aggr essi ve.
Type di al up to authenticate dialup VPN clients that use
unique identifiers and preshared keys (or unique preshared
keys only) to connect to the VPN through the same VPN
tunnel. In this case, you must create a dialup user group for
authentication purposes. Use the usr gr p keyword to set
the user group name. If the dialup clients use unique
identifiers and preshared keys, set mode to aggr essi ve. If
the dialup clients use preshared keys only, set mode to
mai n.
Type peer to authenticate one (or more) certificate holders
based on a particular (or shared) certificate. Use the peer
keyword to enter the certificate name. Set mode to
aggr essi ve if the remote peer or client has a dynamic IP
address.
Type peer gr p to authenticate certificate holders that use
unique certificates. In this case, you must create a group of
certificate holders for authentication purposes. Use the
peer gr p keyword to set the certificate group name. The
mode attribute can be set to aggr essi ve or mai n. Set
mode to aggr essi ve if the remote peer or client has a
dynamic IP address.
any
pr i or i t y <pr i o> This value is used to be break ties in selection of dialup
routes. In the case that both routes have the same priority,
the egress index for the routes will be used to determine the
selected route.
Set prio to a value between 0 and 4 294 967 295.
0
vpn ipsec phase1
01-30005-0015-20070803 451
pr oposal
<encr ypt i on_combi nat i on>
Select a minimum of one and a maximum of three encryption-
message digest combinations for the phase 1 proposal (for
example, 3des- md5). The remote peer must be configured
to use at least one of the proposals that you define. Use a
space to separate the combinations.
You can enter any of the following symmetric-key encryption
algorithms:
3des- md5
3des- sha1
aes128- md5
aes128- sha1
aes192- md5
aes192- sha1
aes256- md5
aes256- sha1
des- md5
des- sha1
Here is an explanation of the abbreviated combinations:
des-Digital Encryption Standard, a 64-bit block algorithm
that uses a 56-bit key.
3des-Triple-DES, in which plain text is encrypted three
times by three keys.
aes128-A 128-bit block algorithm that uses a 128-bit key.
You can select either of the following message digests to
check the authenticity of messages during an encrypted
session:
md5-Message Digest 5, the hash algorithm developed by
RSA Data Security.
sha1-Secure Hash Algorithm 1, which produces a 160-bit
message digest.
No default.
psksecr et <pr eshar ed_key> This keyword is available when aut hmet hod is set to psk.
Enter the pre-shared key. The pre-shared key must be the
same on the remote VPN gateway or client and should only
be known by network administrators. The key must consist of
at least 6 printable characters. For optimum protection
against currently known attacks, the key should consist of a
minimum of 16 randomly chosen alphanumeric characters.
*
(No
default.)
r emot e- gw <addr ess_i pv4> This keyword is available when t ype is set to st at i c.
Enter the static IP address of the remote VPN peer.
0. 0. 0. 0
r emot egw- ddns
<domai n_name>
This keyword is available when t ype is set to ddns.
Enter the identifier of the remote peer (for example, a fully
qualified domain name).
Use this setting when the remote peer has a static domain
name and a dynamic IP address (the IP address is obtained
dynamically from an ISP and the remote peer subscribes to a
dynamic DNS service).
Null.
r sa- cer t i f i cat e
<ser ver _cer t i f i cat e>
This keyword is available when aut hmet hod is set to r sa-
si gnat ur e.
Enter the name of the signed personal certificate for the
FortiGate unit. You must install the server certificate before
you enter the server certificate name. For more information,
see vpn certificate local on page 567.
Null.
452 01-30005-0015-20070803
ipsec phase1 vpn
Example
Use the following command to add a tunnel-mode IPSec VPN phase 1 configuration with the following
characteristics:
Phase 1 configuration name: Si mpl e_GW
Physical interface name: por t 6
Remote peer address type: Dynami c
Encryption and authentication proposal: des- md5
Authentication method: psk
Pre-shared key: Qf 2p3O93j I j 2bz7E
Mode: aggr essi ve
Dead Peer Detection: di sabl e
edi t Si mpl e_GW
set t ype dynami c
set pr oposal des- md5
set aut hmet hod psk
set psksecr et Qf 2p3O93j I j 2bz7E
set mode aggr essi ve
set dpd di sabl e
end
t ype <r emot e_gw_t ype> Enter the connection type of the remote gateway:
If the remote VPN peer has a static IP address, type
st at i c. Use the r emot egwkeyword to enter the IP
address.
If the remote VPN peer has a dynamically assigned IP
address (DHCP or PPPoE), type dynami c.
address and subscribes to a dynamic DNS service, type
ddns. Use the r emot egw- ddns keyword to enter the
domain name of the remote VPN peer.
st at i c
usr gr p <gr oup_name> This keyword is available when t ype is set to dynami c,
aut hmet hod is set to psk, and peer t ype is set to di al up.
Enter the name of the group of dialup VPN clients to
authenticate. The user group must be added to the FortiGate
configuration before it can be cross-referenced here. For
more information, see user group on page 416, user ldap
on page 420, user local on page 423, and user radius on
page 428.
Null.
xaut ht ype <XAut h_t ype> Optionally configure XAuth (eXtended Authentication):
Type di sabl e to disable XAuth.
Type cl i ent to configure the FortiGate unit to act as an
XAuth client. Use the aut huser keyword to add the XAuth
user name and password.
Type aut o, pap, or chap to configure the FortiGate unit as
an XAuth server. Use the aut husr gr p keyword to specify
the user group containing members that will be
authenticated using XAuth.
di sabl e
vpn ipsec phase1
01-30005-0015-20070803 453
Command history
Related topics
vpn ipsec phase2
user group
user local
user peer
user peergrp
user radius
vpn certificate ca
FortiOS v2.80 MR2 Added two new parameters to the peer t ype keyword {peer | peer gr p}.
Added two new keywords: peer and peer gr p.
FortiOS v3.0 Renamed mi xed attribute of xaut ht ype keyword to aut o. Renamed r emot egwto
r emot e- gw. Added i nt er f ace and l ocal - gwattributes. Name of phase 1 definition is
now limited to 15 characters.
Added pr i or i t y keyword.
454 01-30005-0015-20070803
ipsec phase1-interface vpn
Use this command to define a phase 1 definition for a route-based (interface mode) IPSec VPN tunnel
that generates authentication and encryption keys automatically. A new interface of type tunnel with
the same name is created automatically as the local end of the tunnel.
Optionally, you can create a route-based phase 1 definition to act as a backup for another IPSec
interface. See the monitor-phase1 <phase1>keyword.
To complete the configuration of an IPSec tunnel, you need to:
configure phase 2 settings (see ipsec phase2-interface on page 470)
configure a firewall policy to pass traffic from the local private network to the tunnel interface
configure a static route via the IPSec interface to the private network at the remote end of the tunnel
optionally, define the IP addresses for each end of the tunnel to enable dynamic routing through the
tunnel or to enable pinging of each end of the tunnel for testing
set add- gw- r out e {enabl e | di sabl e}
set aut hmet hod <aut hent i cat i on_met hod>
set aut hpasswd <passwor d>
set aut husr <user _name>
set aut husr gr p <gr oup_name>
set dhgr p {1 2 5}
set dpd {di sabl e | enabl e}
set dpd- r et r ycount <r et r y_i nt eger >
set dpd- r et r yi nt er val <seconds> [ <mi l l i seconds]
set i p- ver si on <4 | 6>
set keepal i ve <seconds>
set keyl i f e <seconds>
set l ocal - gw6 <addr ess_i pv6>
set l ocal i d <l ocal _i d>
set mode {aggr essi ve | mai n}
set moni t or - phase1 <phase1>
set nat t r aver sal {di sabl e | enabl e}
set peer <CA_cer t i f i cat e_name>
set peer i d <peer _i d>
set peer gr p <cer t i f i cat e_gr oup_name>
set peer t ype <aut hent i cat i on_met hod>
set psksecr et <pr eshar ed_key>
set r emot e- gw6 <addr ess_i pv6>
set r emot egw- ddns <domai n_name>
set r sa- cer t i f i cat e <ser ver _cer t i f i cat e>
set t ype <r emot e_gw_t ype>
set xaut ht ype <XAut h_t ype>
end
01-30005-0015-20070803 455
Note: The i nt er f ace keyword is required. A r emot e- gwvalue may be required depending on the value of the
t ype attribute. You must also enter a preshared key or a certificate name depending on the value of
aut hmet hod. All other keywords are optional.
edi t <gat eway_name> Enter a name (maximum 15 characters) for the remote
gateway. If t ype is dynami c, the maximum name length is
further reduced depending on the number of dialup tunnels
that can be established: by 2 for up to 9 tunnels, by 3 for up to
99 tunnels, 4 for up to 999 tunnels, and so on
No default.
add- gw- r out e
Enable to automatically add a route to the remote gateway
specified in r emot e- gw. This is effective only when
i nt er f ace is an interface that obtains its IP address by
DHCP or PPPoE. The route distance is specified in the
interface configuration. See system interface on page 346.
di sabl e
aut hmet hod
Specify the authentication method:
Enter psk to authenticate using a pre-shared key. Use
psksecr et to enter the pre-shared key.
Enter r sa- si gnat ur e to authenticate using a digital
certificate. Use set r sa- cer t i f i cat e to enter the name
of the digital certificate.
You must configure certificates before selecting r sa-
si gnat ur e here. For more information, see execute vpn
certificate local on page 567 and vpn certificate ca on
page 432.
psk
aut hpasswd <passwor d> This keyword is available when xaut ht ype is set to cl i ent .
Enter the XAuth client password for the FortiGate unit.
No default.
aut husr <user _name> This keyword is available when xaut ht ype is set to cl i ent .
Enter the XAuth client user name for the FortiGate unit.
Null.
aut husr gr p <gr oup_name> This keyword is available when xaut ht ype is set to aut o,
pap, or chap.
When the FortiGate unit is configured as an XAuth server,
enter the user group to authenticate remote VPN peers. The
user group can contain local users, LDAP servers, and
RADIUS servers. The user group must be added to the
FortiGate configuration before the group name can be cross-
referenced. For more information, see user group on
page 416, user ldap on page 420, user local on page 423,
and user radius on page 428.
Null.
dhgr p {1 2 5} Type 1, 2, and/or 5 to select one or more Diffie-Hellman
groups from DH group 1, 2, and 5 respectively.
When using aggressive mode, DH groups cannot be
negotiated.
If both VPN peers have static IP addresses and use
aggressive mode, enter a single DH Group. The setting on
the FortiGate unit must be identical to the setting on the
remote peer or client.
When the VPN peer or client has a dynamic IP address and
uses aggressive mode, enter up to three DH groups on the
FortiGate unit and one DH group on the remote peer or
dialup client. The setting on the remote peer or client must
be identical to one of the selections on the FortiGate unit.
If the VPN peer or client employs main mode, you can
select more than one DH group. At least one of the settings
on the remote peer or client must be identical to the
selections on the FortiGate unit.
5
456 01-30005-0015-20070803
di st ance Configure the administrative distance for routes added when
a dialup IPSec connection is established. Using
administrative distance you can specify the relative priorities
of different routes to the same destination. A lower
administrative distance indicates a more preferred route.
Distance can be an integer from 1-255. See also router static
distance <distance> on page 259.
1
dpd {di sabl e | enabl e} Enable or disable DPD (Dead Peer Detection). DPD detects
the status of the connection between VPN peers. Enabling
DPD facilitates cleaning up dead connections and
establishing new VPN tunnels. DPD is not supported by all
vendors and is not used unless DPD is supported and
enabled by both VPN peers.
di sabl e
dpd- r et r ycount
The DPD retry count when dpd is set to enabl e. Set the
number of times that the local VPN peer sends a DPD probe
before it considers the link to be dead and tears down the
security association (SA). The dpd- r et r ycount range is 0
to 10.
To avoid false negatives due to congestion or other transient
failures, set the retry count to a sufficiently high value for your
network.
3
dpd- r et r yi nt er val
<seconds> [ <mi l l i seconds]
The DPD (Dead Peer Detection) retry interval is the time that
the local VPN peer waits between sending DPD probes.
Set the time in seconds plus, optionally, milliseconds. For
example, for 2.5 seconds enter 2 500. The range is 1 to 60
seconds, 0 to 999 milliseconds.
When the tunnel is starting, or if it has failed, a retry interval of
5 seconds is used if dpd- r et r yi nt er val is less than 5
seconds.
5
i nt er f ace
Enter the name of the physical, aggregate, or VLAN interface
to which the IPSec tunnel will be bound. The FortiGate unit
settings (see interface on page 346) unless you specify a
different IP address using the local-gw <address_ipv4>
attribute.
Null.
i p- ver si on <4 | 6> Enter 4 for IPv4 encapsulation or 6 for IPv6 encapsulation. 4
keepal i ve <seconds> This keyword is available when nat t r aver sal is set to
enabl e.
Set the NAT traversal keepalive frequency. This number
specifies (in seconds) how frequently empty UDP packets are
sent through the NAT device to make sure that the NAT
mapping does not change until P1 and P2 security
associations expire. The keepalive frequency can be from 0 to
900 seconds.
5
keyl i f e <seconds> Set the keylife time. The keylife is the amount of time (in
seconds) before the phase 1 encryption key expires. When
the key expires, a new key is generated without interrupting
service. The range is 120 to 172,800 seconds.
28800
l ocal - gw <addr ess_i pv4>
l ocal - gw6 <addr ess_i pv6>
Optionally specify an IP address for the local end of the VPN
tunnel. l ocal - gw6 is available when i p- ver si on is 6.
local-gw is available when i p- ver si on is 4.
The IP address will be assigned to the physical, aggregate, or
VLAN interface that is currently selected in i nt er f ace. If
you do not specify an IP address here, the FortiGate unit
settings (see interface on page 346).
0. 0. 0. 0
for IPv4
: : for IPv6
01-30005-0015-20070803 457
l ocal i d <l ocal _i d> Enter a local ID if the FortiGate unit is functioning as a VPN
client and will use the local ID for authentication purposes.
If you want to dedicate a tunnel to a FortiGate dialup client,
you must assign a unique identifier (local ID) to the FortiGate
client.
Whenever you configure a unique identifier (local ID) on a
FortiGate dialup client, you must enable aggressive mode on
the FortiGate dialup server and also specify the identifier as a
peer ID on the FortiGate dialup server.
Null.
mode {aggr essi ve | mai n} Enter aggr essi ve or mai n (ID Protection) mode. Both
modes establish a secure channel.
In main mode, identifying information is hidden. Main mode is
typically used when both VPN peers have static IP addresses.
In aggressive mode, identifying information is exchanged in
the clear. Aggressive mode is typically used when a remote
peer or dialup client has a dynamic IP address. You must
enable aggressive mode when the remote FortiGate unit has
a dynamic IP address, or the remote VPN peer or client will
be authenticated using an identifier (local ID).
mai n
moni t or - phase1 <phase1> Optionally, this IPSec interface can act as a backup for
another (primary) IPSec interface. Enter the name of the
primary interface.
The backup interface is used only while the primary interface
is out of service. dpd must be enabled.
A primary interface can have only one backup interface and
cannot act as a backup for another interface.
For a configuration example, see Example of backup IPSec
interface on page 462.
Null.
nat t r aver sal {di sabl e |
enabl e}
Enable NAT traversal if you expect the IPSec VPN traffic to go
through a gateway that performs NAT. If no NAT device is
detected, enabling NAT traversal has no effect. Both ends of
the VPN must have the same NAT traversal setting. If you
enable NAT traversal you can set the keepal i ve frequency.
di sabl e
peer
<CA_cer t i f i cat e_name>
si gnat ur e and peer t ype is set to peer .
Enter the name of the peer (CA) certificate that will be used to
authenticate remote VPN clients or peers. Use the command
conf i g user peer to add peer certificates. Peer
certificates must be added to the FortiGate configuration
before they can be cross-referenced. For more information,
see user peer on page 425.
Null.
peer i d <peer _i d> This keyword is available when peer t ype is set to one.
Enter the peer ID that will be used to authenticate remote
clients or peers by peer ID.
Null.
peer gr p
<cer t i f i cat e_gr oup_name>
This keyword is available when t ype is set to dynami c,
aut hmet hod is set to r sa- si gnat ur e, and peer t ype is
set to peer gr p.
Enter the name of the peer certificate group that will be used
to authenticate remote clients or peers. You must create the
peer certificate group before the group name can be cross-
referenced. For more information, see user peergrp on
page 427.
Null.
458 01-30005-0015-20070803
peer t ype
The following attributes are available under the following
conditions:
di al up is available when t ype is set to dynami c and
aut hmet hod is set to psk.
peer is available when aut hmet hod is set to r sa-
si gnat ur e.
peer gr p is available when t ype is set to dynami c and
Enter the method for authenticating remote clients or peers
when they connect to the FortiGate unit:
Type any to accept any remote client or peer (peer IDs are
not used for authentication purposes). The mode attribute
can be set to aggr essi ve or mai n.
You can use this option with RSA Signature authentication.
But, for highest security, you should configure a PKI
user/group for the peer and set Peer Options to Accept this
peer certificate only.
Type one to authenticate either a remote peer or client that
has a dynamic IP address and connects using a unique
identifier over a dedicated tunnel, or more than one dialup
client that connects through the same tunnel using the
same (shared) identifier. Use the peer i d keyword to set
the peer ID. If more than one dialup client will be connecting
using the same (shared) identifier, set mode to
aggr essi ve.
Type di al up to authenticate dialup VPN clients that use
unique identifiers and preshared keys (or unique preshared
keys only) to connect to the VPN through the same VPN
tunnel. In this case, you must create a dialup user group for
authentication purposes. Use the usr gr p keyword to set
the user group name. If the dialup clients use unique
identifiers and preshared keys, set mode to aggr essi ve. If
the dialup clients use preshared keys only, set mode to
mai n.
Type peer to authenticate one (or more) certificate holders
based on a particular (or shared) certificate. Use the peer
keyword to enter the certificate name. Set mode to
aggr essi ve if the remote peer or client has a dynamic IP
address.
Type peer gr p to authenticate certificate holders that use
unique certificates. In this case, you must create a group of
certificate holders for authentication purposes. Use the
peer gr p keyword to set the certificate group name. The
mode attribute can be set to aggr essi ve or mai n. Set
mode to aggr essi ve if the remote peer or client has a
dynamic IP address.
any
pr i or i t y <pr i o> This value is used to be break ties in selection of dialup
routes. In the case that both routes have the same priority, the
egress index for the routes will be used to determine the
selected route.
Set prio to a value between 0 and 4 294 967 295.
0
01-30005-0015-20070803 459
pr oposal
Select a minimum of one and a maximum of three encryption-
message digest combinations for the phase 1 proposal (for
example, 3des- md5). The remote peer must be configured to
use at least one of the proposals that you define. Use a space
to separate the combinations.
algorithms:
3des- md5
3des- sha1
aes128- md5
aes128- sha1
aes192- md5
aes192- sha1
aes256- md5
aes256- sha1
des- md5
des- sha1
You can select either of the following message digests to
session:
RSA Data Security.
message digest.
No default.
psksecr et <pr eshar ed_key> This keyword is available when aut hmet hod is set to psk.
Enter the pre-shared key. The pre-shared key must be the
same on the remote VPN gateway or client and should only
be known by network administrators. The key must consist of
at least 6 printable characters. For optimum protection
against currently known attacks, the key should consist of a
minimum of 16 randomly chosen alphanumeric characters.
*
(No default.)
r emot e- gw <addr ess_i pv4>
r emot e- gw6 <addr ess_i pv6>
This keyword is available when t ype is set to st at i c.
Enter the static IP address of the remote VPN peer.
r emot e- gw6 is available when i p- ver si on is 6. remote-gw
is available when i p- ver si on is 4.
0. 0. 0. 0
for IPv4
: : for IPv6
r emot egw- ddns
<domai n_name>
This keyword is available when t ype is set to ddns and
i p- ver si on is set to 4.
Enter the identifier of the remote peer (for example, a fully
qualified domain name).
Use this setting when the remote peer has a static domain
name and a dynamic IP address (the IP address is obtained
dynamically from an ISP and the remote peer subscribes to a
dynamic DNS service).
Null.
r sa- cer t i f i cat e
<ser ver _cer t i f i cat e>
si gnat ur e.
Enter the name of the signed personal certificate for the
FortiGate unit. You must install the server certificate before
you enter the server certificate name. For more information,
see vpn certificate local on page 567.
Null.
460 01-30005-0015-20070803
Example of route-based VPN
In this example, an IPSec tunnel is needed between two sites using FortiGate units. Users on the
192.168.2.0/24 network at Site A need to communicate with users on the 192.168.3.0/24 network at
Site B. At Site A, the public IP address is 172.16.67.199 and at Site B it is 172.16.68.198. At both ends:
Port 2 of the FortiGate unit: connects to the private network
Port 1 of the FortiGate unit: connects to the Internet
Encryption and authentication proposal: des- md5
Authentication method: psk
Pre-shared key: Qf 2p3O93j I j 2bz7
Mode: mai n
Dead Peer Detection: enabl e
t ype <r emot e_gw_t ype> Enter the connection type of the remote gateway:
If the remote VPN peer has a static IP address, type
st at i c. Use the r emot egwkeyword to enter the IP
address.
address (DHCP or PPPoE), type dynami c.
address and subscribes to a dynamic DNS service, type
ddns. Use the r emot egw- ddns keyword to enter the
domain name of the remote VPN peer. This option is not
available if i p- ver si on is 6.
st at i c
usr gr p <gr oup_name> This keyword is available when t ype is set to dynami c,
aut hmet hod is set to psk, and peer t ype is set to di al up.
Enter the name of the group of dialup VPN clients to
authenticate. The user group must be added to the FortiGate
configuration before it can be cross-referenced here. For
more information, see user group on page 416, user ldap
on page 420, user local on page 423, and user radius on
page 428.
Null.
xaut ht ype <XAut h_t ype> Optionally configure XAuth (eXtended Authentication):
Type di sabl e to disable XAuth.
Type cl i ent to configure the FortiGate unit to act as an
XAuth client. Use the aut huser keyword to add the XAuth
user name and password.
Type aut o, pap, or chap to configure the FortiGate unit as
an XAuth server. Use the aut husr gr p keyword to specify
the user group containing members that will be
authenticated using XAuth.
di sabl e
edi t t oSi t eB
set t ype st at i c
set r emot e- gw 172. 16. 68. 198
set psksecr et Qf 2p3O93j I j 2bz7
set mode mai n
set dpd enabl e
end
edi t t oSi t eA
set t ype st at i c
set r emot e- gw 172. 16. 68. 199
set psksecr et Qf 2p3O93j I j 2bz7
set mode mai n
set dpd enabl e
end
01-30005-0015-20070803 461
In this example, the user defines IP addresses for each end of the tunnel to enable dynamic routing
through the tunnel or to enable pinging of each end of the tunnel for testing. The Site A end has the IP
address 10.0.0.1 and the SiteB end is 10.0.0.2.
edi t New_Tunnel
set phase1name t oSi t eB
set pr oposal 3des- sha1
set keyl i f e- t ype seconds
set keyl i f eseconds 18001
set dhgr p 2
set r epl ay enabl e
set pf s enabl e
set keepal i ve enabl e
end
edi t New_Tunnel
set phase1name t oSi t eA
set pr oposal 3des- sha1
set dhgr p 2
set pf s enabl e
end
edi t 1
set dst - i nt f t oSi t eB
set sr caddr al l
set dst addr al l
set act i on accept
set ser vi ce ANY
next
edi t 1
set dst - i nt f t oSi t eA
set sr caddr al l
set dst addr al l
set act i on accept
set ser vi ce ANY
next
edi t 2
set sr c- i nt f t oSi t eB
set sr caddr al l
set dst addr al l
set act i on accept
set ser vi ce ANY
end
edi t 2
set sr c- i nt f t oSi t eA
set sr caddr al l
set dst addr al l
set act i on accept
set ser vi ce ANY
end
edi t 1
set devi ce t oSi t eB
set dst 192. 168. 3. 0/ 24
end
edi t 1
set devi ce t oSi t eA
set dst 192. 168. 2. 0/ 24
end
(Optional)
edi t t oSi t eB
set i p 10. 0. 0. 1/ 32
set r emot e- i p 10. 0. 0. 2
end
(Optional)
edi t t oSi t eA
set i p 10. 0. 0. 2/ 32
set r emot e- i p 10. 0. 0. 1
end
462 01-30005-0015-20070803
Example of backup IPSec interface
In this example, the backupToHeadquarters IPSec interface provides provides failover protection for
the toHeadquarters IPSec interface.
The backupToHeadquarters interface is a backup interface because its moni t or - phase1 option is
not null; it is set to monitor the toHeadquarters interface. If the monitored interface goes down, as
determined by Dead Peer Detection, the backup interface becomes active.
The backup interface uses a different physical interface, which could be connected to a different
Internet service provider. The remote gateway can be the same, or it can specify an alternative
gateway, if one exists. Otherwise, the two IPSec interfaces are identically configured.
edi t " t oHeadquar t er s"
set i nt er f ace " wan1"
set r emot e- gw 172. 16. 1. 10
set dpd enabl e
. . . [ ot her phase1 set t i ngs as needed]
next
edi t " backupToHeadquar t er s"
set i nt er f ace " wan2"
set moni t or - phase1 " t oHeadquar t er s"
set r emot e- gw 172. 16. 1. 10
. . . [ ot her phase1 set t i ngs as needed]
end
end
Command history
Related topics
user group
user local
user peer
user peergrp
user radius
vpn certificate ca
FortiOS v3.0 New
FortiOS v3.0 MR5 Added keywords i p- ver si on, l ocal - gw6, r emot e- gw6.
vpn ipsec phase2
01-30005-0015-20070803 463
ipsec phase2
Use this command to add or edit an IPSec tunnel-mode phase 2 configuration. The FortiGate unit uses
the tunnel-mode phase 2 configuration to create and maintain an IPSec VPN tunnel with a remote
VPN peer (the VPN gateway or client).
The phase 2 configuration consists of a name for the VPN tunnel, the name of an existing phase 1
configuration, the proposal settings (encryption and authentication algorithms) and DH group used for
phase 2. For phase 2 to be successful, the FortiGate unit and the remote VPN peer must be
configured with compatible proposal settings.
set aut o- negot i at e {enabl e | di sabl e}
set dhcp- i psec {di sabl e | enabl e}
set dhgr p {1 | 2 | 5}
set dst - addr - t ype <t ype>
set dst - end- i p <addr ess_i pv4>
set dst - name <addr ess_name>
set dst - por t <dest i nat i on_por t _number >
set dst - st ar t - i p <addr ess_i pv4>
set dst - subnet <addr ess_i pv4mask>
set keepal i ve {di sabl e | enabl e}
set keyl i f e- t ype <keyl i f e_t ype>
set keyl i f ekbs <kb_i nt eger >
set keyl i f eseconds <seconds>
set pf s {di sabl e | enabl e}
set phase1name <gat eway_name>
set r epl ay {di sabl e | enabl e}
set r out e- over l ap {over l ap_opt i on}
set sel ect or - mat ch <mat ch_t ype>
set si ngl e- sour ce {di sabl e | enabl e}
set sr c- addr - t ype 
set sr c- end- i p <addr ess_i pv4>
set sr c- name <addr ess_name>
set sr c- por t <sour ce_por t _number >
set sr c- st ar t - i p <addr ess_i pv4>
set sr c- subnet <addr ess_i pv4mask>
set use- nat i p {enabl e | di sabl e}
end
Note: The phase1name keyword is required. All other keywords are optional.
464 01-30005-0015-20070803
ipsec phase2 vpn
aut o- negot i at e
Enable to negotiate the phase 2 security association (SA)
automatically, even if there is no traffic. This repeats every
five seconds until it succeeds.
You can use this option on a dialup peer to ensure that the
tunnel is available for peers at the server end to initiate traffic
to the dialup peer. Otherwise, the tunnel does not exist until
the dialup peer initiates traffic.
di sabl e
dhcp- i psec {di sabl e |
enabl e}
This keyword is available when phase1name names a
dialup gateway configuration.
Enable dhcp- i psec if the FortiGate unit acts as a dialup
server and FortiGate DHCP relay will be used to assign VIP
addresses to FortiClient dialup clients. The DHCP relay
parameters must be configured separately.
For information about how to configure a DHCP server on a
FortiGate interface, see system dhcp server on page 314.
For information about FortiGate DHCP relay, see system
interface on page 346.
If the FortiGate unit acts as a dialup server and you manually
assigned FortiClient dialup clients VIP addresses that match
the network behind the dialup server, select Enable to cause
the FortiGate unit to act as a proxy for the dialup clients.
di sabl e
dhgr p {1 | 2 | 5} Type 1, 2 or 5 to select the Diffie-Hellman group to propose
for Phase 2 of the IPSec VPN connection. Both VPN peers
must use the same DH Group.
5
dst - addr - t ype <t ype> Enter the type of destination address that corresponds to the
recipient(s) or network behind the remote VPN peer or
FortiGate dialup client:
To specify the IP address of a server or host, type i p.
Enter the IP address using the dst - st ar t - i p keyword.
To specify a range of IP addresses, type r ange. Enter the
starting and ending addresses using the dst - st ar t - i p
and dst - end- i p keywords.
To specify a network address, type subnet . Enter the
network address using the dst - subnet keyword.
To specify a firewall address or address group, type name.
Enter the address or address group name using the
dst - name keyword. You must also select the name option
for sr c- addr - t ype.
This option is intended for users upgrading VPN
configurations created using FortiOS 2.80. For new VPNs
that use firewall addresses or address groups as selectors,
interface mode VPNs are recommended.
subnet
dst - end- i p <addr ess_i pv4> This keyword is available when dst - addr - t ype is set to
r ange.
Enter the highest destination IP address in the range of IP
addresses.
0. 0. 0. 0
dst - name <addr ess_name> This keyword is available when dst - addr - t ype is set to
name. Enter the name of a firewall address or address
group.
No default.
dst - por t
<dest i nat i on_por t _number >
Enter the port number that the remote VPN peer or FortiGate
dialup client uses to transport traffic related to the specified
service (see pr ot ocol ). The range is 1 to 65535. To
specify all ports, type 0.
0
dst - st ar t - i p
<addr ess_i pv4>
This keyword is available when dst - addr - t ype is set to
r ange.
Enter the lowest destination IP address in the range of IP
addresses.
0. 0. 0. 0
vpn ipsec phase2
01-30005-0015-20070803 465
dst - subnet
Enter the IP address and network mask that identifies the
private network behind the remote VPN peer or FortiGate
dialup client.
0. 0. 0. 0
0. 0. 0. 0
keepal i ve {di sabl e |
enabl e}
Enable to automatically negotiate a new phase 2 security
association (SA) before the current SA expires, keeping the
tunnel up. Otherwise, a new SA is negotiated only if there is
traffic.
di sabl e
keyl i f e- t ype
<keyl i f e_t ype>
Set when the phase 2 key expires. When the key expires, a
new key is generated without interrupting service.
To make the key expire after a period of time has expired
and after an amount of data is transmitted, type bot h.
To make the key expire after an amount of data is
transmitted, type kbs. Use the keyl i f ekbs keyword to
set the amount of data that is transmitted.
To make the key expire after a number of seconds elapses,
type seconds. Use the keyl i f eseconds keyword to set
the amount of time that elapses.
seconds
keyl i f ekbs <kb_i nt eger > This keyword is available when keyl i f e- t ype is set to
kbs or bot h.
Set the number of KBytes of data to transmit before the
phase 2 key expires. The range is 5120 to 99999 KBytes.
5120
keyl i f eseconds <seconds> This keyword is available when keyl i f e- t ype is set to
seconds or bot h.
Set the number of seconds to elapse before the phase 2 key
expires. seconds can be 120 to 172800 seconds.
1800
pf s {di sabl e | enabl e} Optionally, enable or disable perfect forward secrecy (PFS).
PFS ensures that each key created during Phase 2 is
unrelated to keys created during Phase 1 or to other keys
created during Phase 2. PFS may cause minor delays during
key generation.
di sabl e
phase1name <gat eway_name> Enter a phase 1 gateway configuration name. You must add
the phase 1 gateway definition to the FortiGate configuration
before it can be cross-referenced.
Null.
466 01-30005-0015-20070803
ipsec phase2 vpn
pr oposal
Enter a minimum of one and a maximum of three encryption-
message digest combinations (for example, 3des- md5).
The remote peer must be configured to use at least one of
the proposals that you define. Use a space to separate the
combinations.
algorithms:
3des- md5
3des- nul l
3des- sha1
aes128- md5
aes128- nul l
aes128- sha1
aes192- md5
aes192- nul l
aes192- sha1
aes256- md5
aes256- nul l
aes256- sha1
des- md5
des- nul l
des- sha1
nul l - md5
nul l - sha1
nul l -Do not use an encryption algorithm.
You can enter either of the following message digests to
session:
nul l -Do not use a message digest.
RSA Data Security.
message digest.
No default.
pr ot ocol
This keyword is available when sel ect or is set to
speci f y.
Enter the IP protocol number for the service. The range is 1
to 255. To specify all services, type 0.
0
r epl ay {di sabl e | enabl e} Optionally, enable or disable replay detection. Replay
attacks occur when an unauthorized party intercepts a series
of IPSec packets and replays them back into the tunnel.
Enable replay detection to check the sequence number of
every IPSec packet to see if it has been received before. If
packets arrive out of sequence, the FortiGate units discards
them.
You can configure the FortiGate unit to send an alert email
when it detects a replay packet. See alertemail on page 63.
di sabl e
r out e- over l ap
{over l ap_opt i on}
Specify how FortiGate unit handles multiple dialup users with
the same IP source address. Set over l ap_opt i on to one
of the following:
al l ow- allow overlapping routes
use- new- delete the old route and add the new route
use- ol d - use the old route and do not add the new route
use- new
vpn ipsec phase2
01-30005-0015-20070803 467
sel ect or - mat ch
<mat ch_t ype>
The peers IPSec selectors are compared to FortiGate
phase 2 selectors, which are any of sr c- st ar t - i p /
sr c- end- i p, sr c- subnet , dst - subnet , dst - st ar t -
i p / dst - end- i p. The mat ch_t ype value can be one of:
exact - peers selector must match exactly
subset - peers selector can be a subset of this selector
aut o - use exact or subset match as needed (default)
Note: This keyword is configured automatically when
upgrading a FortiOS version 2.80 VPN to version 3.0. You
should not set this keyword when configuring a new VPN.
aut o
si ngl e- sour ce {di sabl e |
enabl e}
Enable if sr c- addr - t ype is name and hosts on the internal
network will initiate communication sessions with remote
dialup clients.
di sabl e
sr c- addr - t ype

If the FortiGate unit is a dialup server, enter the type of
source address that corresponds to the local sender(s) or
network behind the FortiGate dialup server:
To specify the IP address of a server or host, type i p.
Enter the IP address using the sr c- st ar t - i p keyword.
To specify a range of IP addresses, type r ange. Enter
the starting and ending addresses using the sr c-
st ar t - i p and sr c- end- i p keywords.
To specify a network address, type subnet . Enter the
network address using the sr c- subnet keyword.
To specify a firewall address or address group, type
name. Enter the address or address group name using
the sr c- name keyword. You must also select the name
option for dst - addr - t ype.
This option is intended for users upgrading VPN
configurations created using FortiOS 2.80. For new VPNs
that use firewall addresses or address groups as
selectors, interface mode VPNs are recommended.
If the FortiGate unit is a dialup client, sr c- addr - t ype must
refer to the server(s), host(s), or private network behind the
FortiGate dialup client.
subnet
sr c- end- i p <addr ess_i pv4> This keyword is available when sr c- addr - t ype is set to
r ange.
Enter the highest source IP address in the range of IP
addresses.
0. 0. 0. 0
sr c- name <addr ess_name> This keyword is available when sr c- addr - t ype is set to
name. Enter the name of a firewall address or address
group.
No default.
sr c- por t
<sour ce_por t _number >
If the FortiGate unit is a dialup server, enter the port number
that the FortiGate dialup server uses to transport traffic
related to the specified service (see pr ot ocol ). If the
FortiGate unit is a dialup client, enter the port number that
the FortiGate dialup client uses to transport traffic related to
the specified service. The sr c- por t range is 1 to 65535.
To specify all ports, type 0.
0
sr c- st ar t - i p
<addr ess_i pv4>
This keyword is available when sr c- addr - t ype is set to
r ange.
Enter the lowest source IP address in the range of IP
addresses.
0. 0. 0. 0
468 01-30005-0015-20070803
ipsec phase2 vpn
Example
Use the following command to add a tunnel-mode phase 2 configuration with the following
characteristics:
Name: New_Tunnel
Phase 1 name: Si mpl e_GW
Encryption and authentication proposal: 3des- sha1 aes256- sha1 des- md5
Keylife type: seconds
Keylife seconds: 18001
Diffie-Hellman group: 2
Replay detection: enabl e
Perfect forward secrecy: enabl e
Keepalive: enabl e
edi t New_Tunnel
set phase1name Si mpl e_GW
set pr oposal 3des- sha1 aes256- sha1 des- md5
set dhgr p 2
set pf s enabl e
end
Command history
sr c- subnet
If the FortiGate unit is a dialup server, enter the IP address
and network mask that identifies the private network behind
the FortiGate dialup server. If the FortiGate unit is a dialup
client, enter the IP address and network mask that identifies
the private network behind the FortiGate dialup client.
0. 0. 0. 0
0. 0. 0. 0
use- nat i p
By default, when outbound NAT is used, the FortiGate unit
public interface IP address is the source selector. If you
disable use- nat i p, the source selector is as specified in
sr c- st ar t - i p / sr c- end- i p or sr c- subnet .
Note: This keyword is configured automatically when
upgrading a FortiOS version 2.80 VPN to version 3.0. You
should not set this keyword when configuring a new VPN.
enabl e
FortiOS v2.80 MR3 concent r at or keyword available in NAT/Route mode only.
FortiOS v2.80 MR7 wi l dcar di d keyword removed.
sel ect or keyword and associated sr caddr , dst addr , pr ot ocol , sr cpor t , and
dst por t keywords added.
si ngl e- sour ce keyword added.
FortiOS v3.0 Replaced underscore character in keyl i f e- t ype keyword with a hyphen. Removed
bi ndt oi f , concent r at or , i nt er net br owsi ng, sel ect or , dst addr , dst por t ,
sr caddr , and sr cpor t keywords. Added dst - addr - t ype, dst - por t , dst - subnet ,
dst - end- i p, dst - st ar t - i p, sr c- addr - t ype, sr c- por t , sr c- subnet , sr c- end-
i p, and sr c- st ar t - i p keywords.
FortiOS v3.0 MR5 Removed nul l - nul l option from pr oposal keyword.
vpn ipsec phase2
01-30005-0015-20070803 469
Related topics
vpn ipsec phase1
alertemail setting
alertemail setting
470 01-30005-0015-20070803
Use this command to add a phase 2 configuration for a route-based (interface mode) IPSec tunnel or
edit an existing interface-mode phase 2 configuration. This command is available only in NAT/Route
mode.
set aut o- negot i at e {enabl e | di sabl e}
set dhgr p {1 | 2 | 5}
set dst - addr - t ype <t ype>
set dst - end- i p <addr ess_i pv4>
set dst - end- i p6 <addr ess_i pv6>
set dst - name <addr ess_name>
set dst - por t <dest i nat i on_por t _number >
set dst - st ar t - i p <addr ess_i pv4>
set dst - st ar t - i p6 <addr ess_i pv6>
set dst - subnet <addr ess_i pv4mask>
set dst - subnet 6 <addr ess_i pv6mask>
set keepal i ve {di sabl e | enabl e}
set keyl i f e- t ype <keyl i f e_t ype>
set keyl i f ekbs <kb_i nt eger >
set keyl i f eseconds <seconds>
set pf s {di sabl e | enabl e}
set phase1name <gat eway_name>
set r epl ay {di sabl e | enabl e}
set r out e- over l ap {over l ap_opt i on}
set si ngl e- sour ce {di sabl e | enabl e}
set sr c- addr - t ype 
set sr c- end- i p <addr ess_i pv4>
set sr c- end- i p6 <addr ess_i pv6>
set sr c- name <addr ess_name>
set sr c- por t <sour ce_por t _number >
set sr c- st ar t - i p <addr ess_i pv4>
set sr c- st ar t - i p6 <addr ess_i pv6>
set sr c- subnet 6 <addr ess_i pv6mask>
set sr c- subnet 6 <addr ess_i pv6mask>
end
Note: The phase1name keyword is required. All other keywords are optional.
01-30005-0015-20070803 471
edi t <t unnel _name> Enter a name for the phase 2 tunnel configuration. No default.
aut o- negot i at e
Enable to negotiate the phase 2 security association (SA)
automatically, even if there is no traffic. This repeats every
five seconds until it succeeds.
You can use this option on a dialup peer to ensure that the
tunnel is available for peers at the server end to initiate traffic
to the dialup peer. Otherwise, the tunnel does not exist until
the dialup peer initiates traffic.
di sabl e
dhgr p {1 | 2 | 5} Type 1, 2 or 5 to select the Diffie-Hellman group to propose
for Phase 2 of the IPSec VPN connection. Both VPN peers
must use the same DH Group.
5
dst - addr - t ype <t ype> Enter the type of destination address that corresponds to the
recipient(s) or network behind the remote VPN peer or
FortiGate dialup client:
To specify the IPv4 IP address of a server or host, type
i p. Enter the IP address using the dst - st ar t - i p
keyword.
i p6. Enter the IP address using the dst - st ar t - i p6
keyword.
To specify a range of IPv4 IP addresses, type r ange.
Enter the starting and ending addresses using the
dst - st ar t - i p and dst - end- i p keywords.
To specify a range of IPv6 IP addresses, type r ange6.
dst - st ar t - i p6 and dst - end- i p6 keywords.
To specify an IPv4 network address, type subnet . Enter
the network address using the dst - subnet keyword.
To specify an IPv6 network address, type subnet 6.
Enter the network address using the dst - subnet
keyword.
To specify an address defined in a firewall address or
address group, type name. Enter the address name using
the dst - name keyword. You must also select the name
option for sr c- addr - t ype. This is available only for
IPv4 addresses.
subnet
dst - end- i p <addr ess_i pv4> This keyword is available when dst - addr - t ype is set to
r ange.
addresses.
0. 0. 0. 0
dst - end- i p6 <addr ess_i pv6> This keyword is available when dst - addr - t ype is set to
r ange6.
addresses.
: :
dst - name <addr ess_name> This keyword is available when dst - addr - t ype is set to
name. Enter the firewall address or address group name.
dst - por t
<dest i nat i on_por t _number >
Enter the port number that the remote VPN peer or FortiGate
dialup client uses to transport traffic related to the specified
service (see pr ot ocol ). The range is 1 to 65535. To
specify all ports, type 0.
0
dst - st ar t - i p
<addr ess_i pv4>
r ange.
addresses.
0. 0. 0. 0
472 01-30005-0015-20070803
dst - st ar t - i p6
<addr ess_i pv6>
r ange6.
addresses.
: :
dst - subnet
Enter the IPv4 IP address and network mask that identifies
the private network behind the remote VPN peer or FortiGate
dialup client.
0. 0. 0. 0
0. 0. 0. 0
dst - subnet 6
Enter the IPv6 IP address and network mask that identifies
the private network behind the remote VPN peer or FortiGate
dialup client.
: : / 0
keepal i ve {di sabl e |
enabl e}
Enable to automatically negotiate a new phase 2 security
association (SA) before the current SA expires, keeping the
tunnel up. Otherwise, a new SA is negotiated only if there is
traffic.
di sabl e
keyl i f e- t ype
<keyl i f e_t ype>
Set when the phase 2 key expires. When the key expires, a
new key is generated without interrupting service.
To make the key expire after a period of time has expired
and after an amount of data is transmitted, type bot h.
To make the key expire after an amount of data is
transmitted, type kbs. Use the keyl i f ekbs keyword to
set the amount of data that is transmitted.
To make the key expire after a number of seconds elapses,
type seconds. Use the keyl i f eseconds keyword to set
the amount of time that elapses.
seconds
keyl i f ekbs <kb_i nt eger > This keyword is available when keyl i f e- t ype is set to
kbs or bot h.
Set the number of KBytes of data to transmit before the
phase 2 key expires. The range is 5120 to 99999 KBytes.
5120
keyl i f eseconds <seconds> This keyword is available when keyl i f e- t ype is set to
seconds or bot h.
Set the number of seconds to elapse before the phase 2 key
expires. seconds can be 120 to 172800 seconds.
1800
pf s {di sabl e | enabl e} Optionally, enable or disable perfect forward secrecy (PFS).
PFS ensures that each key created during Phase 2 is
unrelated to keys created during Phase 1 or to other keys
created during Phase 2. PFS may cause minor delays during
key generation.
di sabl e
phase1name <gat eway_name> Enter a phase 1 gateway configuration name. You must add
the phase 1 gateway definition to the FortiGate configuration
before it can be cross-referenced.
Null.
01-30005-0015-20070803 473
pr oposal
Enter a minimum of one and a maximum of three encryption-
message digest combinations (for example, 3des- md5).
The remote peer must be configured to use at least one of
the proposals that you define. Use a space to separate the
combinations.
algorithms:
3des- md5
3des- nul l
3des- sha1
aes128- md5
aes128- nul l
aes128- sha1
aes192- md5
aes192- nul l
aes192- sha1
aes256- md5
aes256- nul l
aes256- sha1
des- md5
des- nul l
des- sha1
nul l - md5
nul l - sha1
nul l -Do not use an encryption algorithm.
3des-Triple-DES, which encrypts data three times by three
keys.
You can enter either of the following message digests to
session:
nul l -Do not use a message digest.
RSA Data Security.
message digest.
No default.
pr ot ocol
This keyword is available when sel ect or is set to
speci f y.
Enter the IP protocol number for the service. The range is 1
to 255. To specify all services, type 0.
0
r epl ay {di sabl e | enabl e} Optionally, enable or disable replay detection. Replay
attacks occur when an unauthorized party intercepts a series
of IPSec packets and replays them back into the tunnel.
Enable replay detection to check the sequence number of
every IPSec packet to see if it has been received before. If
packets arrive out of sequence, the FortiGate units discards
them.
You can configure the FortiGate unit to send an alert email
when it detects a replay packet. See alertemail on page 63.
di sabl e
r out e- over l ap
{over l ap_opt i on}
Specify how FortiGate unit handles multiple dialup users with
the same IP source address. Set over l ap_opt i on to one
of the following:
al l ow- allow overlapping routes
use- new- delete the old route and add the new route
use- ol d - use the old route and do not add the new route
use- new
474 01-30005-0015-20070803
si ngl e- sour ce {di sabl e |
enabl e}
Enable or disable all FortiClient dialup clients to connect
using the same phase 2 tunnel definition.
di sabl e
sr c- addr - t ype

If the FortiGate unit is a dialup server, enter the type of
source address that corresponds to the local sender(s) or
network behind the FortiGate dialup server:
i p. Enter the IP address using the sr c- st ar t - i p
keyword.
i p6. Enter the IP address using the sr c- st ar t - i p6
keyword.
To specify a range of IPv4 IP addresses, type r ange.
sr c- st ar t - i p and sr c- end- i p keywords.
To specify a range of IPv6 IP addresses, type r ange6.
sr c- st ar t - i p6 and sr c- end- i p6 keywords.
To specify an IPv4 network address, type subnet . Enter
the network address using the sr c- subnet keyword.
To specify an IPv6 network address, type subnet 6.
Enter the network address using the sr c- subnet 6
keyword.
To specify an address defined in a firewall address or
address group, type name. Enter the address name using
the sr c- name keyword. You must also select the name
option for dst - addr - t ype. This is available only for
IPv4 addresses.
If the FortiGate unit is a dialup client, sr c- addr - t ype must
refer to the server(s), host(s), or private network behind the
FortiGate dialup client.
subnet
sr c- end- i p <addr ess_i pv4> This keyword is available when sr c- addr - t ype is set to
r ange.
addresses.
0. 0. 0. 0
sr c- end- i p6 <addr ess_i pv6> This keyword is available when sr c- addr - t ype is set to
r ange6.
addresses.
: :
sr c- name <addr ess_name> This keyword is available when sr c- addr - t ype is set to
name. Enter the firewall address or address group name.
sr c- por t
<sour ce_por t _number >
If the FortiGate unit is a dialup server, enter the port number
that the FortiGate dialup server uses to transport traffic
related to the specified service (see pr ot ocol ). If the
FortiGate unit is a dialup client, enter the port number that
the FortiGate dialup client uses to transport traffic related to
the specified service. The sr c- por t range is 1 to 65535.
To specify all ports, type 0.
0
sr c- st ar t - i p
<addr ess_i pv4>
r ange.
addresses.
0. 0. 0. 0
sr c- st ar t - i p6
<addr ess_i pv6>
r ange6.
addresses.
: :
01-30005-0015-20070803 475
Example
Use the following command to add a route-based (interface mode) phase 2 configuration with the
following characteristics:
Name: I nt er f ace_Tunnel
Phase 1 name: I nt er f ace_GW
Encryption and authentication proposal: 3des- sha1 aes256- sha1 des- md5
Keylife type: seconds
Keylife seconds: 18001
Diffie-Hellman group: 2
Replay detection: enabl e
Perfect forward secrecy: enabl e
Keepalive: enabl e
edi t I nt er f ace_Tunnel
set phase1name I nt er f ace_GW
set pr oposal 3des- sha1 aes256- sha1 des- md5
set dhgr p 2
set pf s enabl e
end
Command history
sr c- subnet
If the FortiGate unit is a dialup server, enter the IPv4 IP
address and network mask that identifies the private network
behind the FortiGate dialup server. If the FortiGate unit is a
dialup client, enter the IP address and network mask that
identifies the private network behind the FortiGate dialup
client.
0. 0. 0. 0
0. 0. 0. 0
sr c- subnet 6
If the FortiGate unit is a dialup server, enter the IPv6 IP
address and network mask that identifies the private network
behind the FortiGate dialup server. If the FortiGate unit is a
dialup client, enter the IP address and network mask that
identifies the private network behind the FortiGate dialup
client.
: : / 0
FortiOS v3.0 New
FortiOS v3.0 MR3 added sr c- addr - t ype name, sr c- name, dst - addr - t ype name, dst - name.
FortiOS v3.0 MR5 Removed nul l - nul l option from pr oposal keyword.
Added i p6, r ange6, subnet 6 options to sr c- addr - t ype keyword.
Added dst - end- i p6, dst - st ar t - i p6, dst - subnet 6, sr c- end- i p6,
sr c- st ar t - i p6, sr c- subnet 6 keywords.
476 01-30005-0015-20070803
Related topics
alertemail setting
alertemail setting
vpn l2tp
01-30005-0015-20070803 477
l2tp
Use this command to enable L2TP and specify a local address range to reserve for remote L2TP
clients. When a remote L2TP client connects to the internal network through a L2TP VPN, the client is
assigned an IP address from the specified range.
L2TP clients must authenticate with the FortiGate unit when a L2TP session starts. To support L2TP
authentication on the FortiGate unit, you must define the L2TP users who need access and then add
them to a user group. For more information, see user group on page 416, user ldap on page 420,
user local on page 423, and user radius on page 428.
You need to define a firewall policy to control services inside the L2TP tunnel. For more information,
see firewall on page 81. When you define the firewall policy:
Create an external ->internal policy.
Set the source address to match the L2TP address range.
Set the destination address to reflect the private address range of the internal network behind the
local FortiGate unit.
Set the policy service(s) to match the type(s) of traffic that L2TP users may generate.
Set the policy action to accept .
Enable NAT if required.
conf i g vpn l 2t p
set ei p <addr ess_i pv4>
set si p <addr ess_i pv4>
end
!
Caution: FortiGate units support L2TP with Microsoft Point-to-Point Encryption (MPPE) encryption only. Later
implementations of Microsoft L2TP for Windows use IPSec and require certificates for authentication and
encryption. If you want to use Microsoft L2TP with IPSec to connect to a FortiGate unit, the IPSec and certificate
elements must be disabled on the remote client. For more information, see the Disabling Microsoft L2TP for
IPSec article in the Fortinet Knowledge Center.
Note: You can configure L2TP VPNs on FortiGate units that run in NAT/Route mode. The commands are
available in NAT/Route mode only. When you configure an L2TP address range for the first time, you must enter
a starting IP address, an ending IP address, and a user group.
ei p <addr ess_i pv4> The ending IP address of the L2TP address range. 0. 0. 0. 0
si p <addr ess_i pv4> The starting IP address of the L2TP address range. 0. 0. 0. 0
st at us {di sabl e | enabl e} Enable or disable L2TP VPN. di sabl e
usr gr p <gr oup_name> This keyword is available when st at us is set to enabl e.
Enter the name of the user group for authenticating L2TP clients.
The user group must be added to the FortiGate configuration
before it can be specified here. For more information, see user
group on page 416, user ldap on page 420, user local on
page 423, and user radius on page 428.
Null.
478 01-30005-0015-20070803
l2tp vpn
Example
This example shows how to enable L2TP and set the L2TP address range for the first time using a
starting address of 192. 168. 1. 150, an ending address of 192. 168. 1. 160 and an existing group of
L2TP users named L2TP_user s:
conf i g vpn l 2t p
set si p 192. 168. 1. 150
set ei p 192. 168. 1. 160
set usr gr p L2TP_user s
end
Command history
Related topics
user group
vpn pptp
01-30005-0015-20070803 479
pptp
Use this command to enable PPTP and specify a local address range to reserve for remote PPTP
clients. When a remote PPTP client connects to the internal network through a PPTP VPN, the client is
assigned an IP address from the specified range.
PPTP clients must authenticate with the FortiGate unit when a PPTP session starts. To support PPTP
authentication on the FortiGate unit, you must define the PPTP users who need access and then add
them to a user group. For more information, see user group on page 416, user ldap on page 420,
user local on page 423, and user radius on page 428.
You need to define a firewall policy to control services inside the PPTP tunnel. For more information,
see firewall on page 81. When you define the firewall policy:
Create an external ->internal policy.
Set the source address to match the PPTP address range.
Set the destination address to reflect the private address range of the internal network behind the
local FortiGate unit.
Set the policy service(s) to match the type(s) of traffic that PPTP users may generate.
Set the policy action to accept .
Enable NAT if required.
conf i g vpn ppt p
set ei p <addr ess_i pv4>
set si p <addr ess_i pv4>
end
Note: You can configure PPTP VPNs on FortiGate units that run in NAT/Route mode. The commands are
available in NAT/Route mode only. When you configure a PPTP address range for the first time, you must enter
a starting IP address, an ending IP address, and a user group.
ei p <addr ess_i pv4> The ending address of the PPTP address range. 0. 0. 0. 0
si p <addr ess_i pv4> The starting address of the PPTP address range. 0. 0. 0. 0
st at us {di sabl e | enabl e} Enable or disable PPTP VPN. di sabl e
usr gr p <gr oup_name> This keyword is available when st at us is set to enabl e.
Enter the name of the user group for authenticating PPTP clients.
The user group must be added to the FortiGate configuration
before it can be specified here. For more information, see user
group on page 416, user ldap on page 420, user local on
page 423, and user radius on page 428.
Null.
480 01-30005-0015-20070803
pptp vpn
Example
This example shows how to enable PPTP and set the PPTP address range for the first time using a
starting address of 192. 168. 1. 100, an ending address of 192. 168. 1. 130 and an existing group of
PPTP users named PPTP_user s:
conf i g vpn ppt p
set si p 192. 168. 1. 100
set ei p 192. 168. 1. 130
set usr gr p PPTP_user s
end
Command history
Related topics
user group
vpn ssl monitor
01-30005-0015-20070803 481
ssl monitor
Use this command to display information about logged in SSL VPN users and current SSL VPN
sessions.
Command syntax
get vpn ssl moni t or
Output
Command history
Related topics
vpn ssl settings
FortiOS v3.0 New.
482 01-30005-0015-20070803
ssl settings vpn
ssl settings
Use this command to configure basic SSL VPN settings including interface idle-timeout values and
SSL encryption preferences. If required, you can also enable the use of digital certificates for
authenticating remote clients.
You can optionally specify the IP address of any Domain Name Service (DNS) server and/or Windows
Internet Name Service (WINS) server that resides on the private network behind the FortiGate unit.
The DNS and/or WINS server will find the IP addresses of other computers whenever a connected
SSL VPN user sends an email message or browses the Internet.
set al gor i t hm<ci pher _sui t e>
set aut h- t i meout <aut h_seconds>
set i dl e- t i meout 
set por t al - headi ng <capt i on>
set r eqcl i ent cer t {di sabl e | enabl e}
set r out e- sour ce- i nt er f ace {di sabl e | enabl e}
set ser ver cer t <ser ver _cer t _name>
set ssl v2 {di sabl e | enabl e}
set ssl vpn- enabl e {di sabl e | enabl e}
set t unnel - endi p <addr ess_i pv4>
set t unnel - st ar t i p <addr ess_i pv4>
set ur l - obscur at i on {di sabl e | enabl e}
set wi ns- ser ver 1 <addr ess_i pv4>
set wi ns- ser ver 2 <addr ess_i pv4>
end
Note: You can configure SSL VPNs on FortiGate units that run in NAT/Route mode. The commands are
available in NAT/Route mode only.
Note: Set the ssl vpn- enabl e attribute to enabl e to view all possible settings. The t unnel - endi p and
t unnel - st ar t i p keywords are required for tunnel-mode access only. All other keywords are optional.
al gor i t hm<ci pher _sui t e> This keyword is available when ssl vpn- enabl e is set to
enable.
Enter one of the following options to determine the level of
SSL encryption to use. The web browser on the remote
client must be capable of matching the level that you
specify:
To use any cipher suite, type l ow.
To use a 128-bit or greater cipher suite, type def aul t .
To use a cipher suite that is greater than 128 bits, type
hi gh.
def aul t
aut h- t i meout
<aut h_seconds>
This keyword is available when ssl vpn- enabl e is set to
enable.
Enter the period of time (in seconds) to control how long an
authenticated connection will remain connected. When this
time expires, the system forces the remote client to
authenticate again. The range is from 10 to 28800
seconds.
1500
vpn ssl settings
01-30005-0015-20070803 483
dns- ser ver 1
<addr ess_i pv4>
Enter the IP address of the primary DNS server that SSL
VPN clients will be able to access after a connection has
been established. If required, you can specify a secondary
DNS server through the dns- ser ver 2 attribute.
0. 0. 0. 0
dns- ser ver 2
<addr ess_i pv4>
Enter the IP address of a secondary DNS server if
required.
0. 0. 0. 0
por t al - headi ng <capt i on> This keyword is available when ssl vpn- enabl e is set to
enable.
If you want to display a custom caption at the top of the
web portal home page, type the message.
Null.
i dl e- t i meout

enable.
Enter the period of time (in seconds) to control how long
the connection can remain idle before the system forces
the remote user to log in again. The range is from 10 to
28800 seconds.
300
r eqcl i ent cer t {di sabl e |
enabl e}
enable.
Disable or enable the use of group certificates for
authenticating remote clients.
di sabl e
r out e- sour ce- i nt er f ace
enable.
Enable to allow the SSL VPN connection to bypass routing
and bind to the incoming interface.
di sabl e
ser ver cer t
<ser ver _cer t _name>
enable.
Enter the name of the signed server certificate that the
FortiGate unit will use to identify itself during the SSL
handshake with a web browser when the web browser
connects to the login page. The server certificate must
already be loaded into the FortiGate configuration. If you
do not specify a server certificate, the FortiGate unit offers
its factory installed (self-signed) certificate from Fortinet to
remote clients when they connect.
/ et c/ ser ver
ssl v2 {di sabl e | enabl e} This keyword is available when ssl vpn- enabl e is set to
enable.
Disable or enable SSL version 2 encryption.
di sabl e
ssl vpn- enabl e {di sabl e |
enabl e}
Disable or enable remote-client access. di sabl e
t unnel - endi p
<addr ess_i pv4>
enable.
This attribute is required for tunnel-mode access only.
Enter the ending address in the range of IP addresses
reserved for remote clients.
0. 0. 0. 0
t unnel - st ar t i p
<addr ess_i pv4>
enable.
This attribute is required for tunnel-mode access only.
Enter the starting address in the range of IP addresses
reserved for remote clients.
0. 0. 0. 0
ur l - obscur at i on {di sabl e
| enabl e}
enable.
Enable to encrypt the host name of the url in the display
(web address) of the browser for web mode only. This is a
requirement for ICSA ssl vpn certification.
di sabl e
484 01-30005-0015-20070803
ssl settings vpn
Example
The following command enables the FortiGate unit to assign virtual IP addresses in the 10.10.10.100
to 10.10.10.105 range to authenticated clients (an IP address range is needed to support tunnel-mode
access). The command also sets timeout values for authenticated connections and connection
inactivity respectively.
set ssl vpn- enabl e enabl e
set t unnel - st ar t i p 10. 10. 10. 100
set t unnel - endi p 10. 10. 10. 105
set web- aut h- t i meout 600
set web- i dl e- t i meout 1500
end
Command history
Related topics
system replacemsg sslvpn
execute vpn sslvpn del-tunnel
vpn ssl monitor
user group
wi ns- ser ver 1
<addr ess_i pv4>
Enter the IP address of the primary WINS server that SSL
VPN clients will be able to access after a connection has
been established. If required, you can specify a secondary
WINS server through the wi ns- ser ver 2 attribute.
0. 0. 0. 0
wi ns- ser ver 2
<addr ess_i pv4>
Enter the IP address of a secondary WINS server if
required.
0. 0. 0. 0
FortiOS v3.0 New.
FortiOS v3.0 MR4 Added r out e- sour ce- i nt er f ace.
FortiOS v3.0 MR5 Added ur l - obscur at i on.
vpn ssl web bookmarks
01-30005-0015-20070803 485
ssl web bookmarks
Use this command to pre-define one or more bookmarks that you add to a bookmark group. A
bookmark is associated with a service and an application server. The bookmarks that you define are
displayed in the Predefined Bookmarks section of the users web portal page. Bookmark groups can
be associated to SSL VPN user groups. Users within the SSL VPN user group can select a bookmark
hyperlink in the Predefined Bookmarks list to initiate a session with the target server application. These
bookmarks cannot be edited by the user.
conf i g vpn ssl web bookmar ks
edi t <bookmar k_name>
set appt ype <ser vi ce_t ype>
set f ol der <f ol der _name>
set host <host _name>
set ur l <t ar get _i p>
end
Example
The following command creates a bookmark named Company_i nt r anet to the corporate Intranet
home page at www. exampl e. com:
conf i g vpn ssl web bookmar ks
edi t Company_i nt r anet
set appt ype web
set ur l ht t p: / / www. exampl e. com
end
edi t <bookmar k_name> Enter a name for the bookmark. No default.
appt ype <ser vi ce_t ype> Enter the identifier of the service to associate with the
bookmark:
Type f t p for FTP services.
Type r dp for Windows Terminal services.
Type smb for SMB/CIFS (Windows file share) services.
Type ssh for SSH services.
Type t el net for telnet services.
Type vnc for VNC services.
Type web for HTTP and/or HTTPS services.
web
f ol der <f ol der _name> Enter the remote folder name, if appt ype is smb or f t p.
The folder name must include the server name,
/ / 172. 20. 120. 103/ myf ol der /, for example.
No default.
host <host _name> Enter the host name/IP parameter, if appt ype is t el net ,
r dp, or vnc.
No default.
ur l <t ar get _i p> Enter the URL of the web page, if appt ype is web. No default.
486 01-30005-0015-20070803
ssl web bookmarks vpn
Command history
Related topics
vpn ssl settings
vpn ssl web bookmarks-group
vpn ssl web favorite
FortiOS v3.0 MR5 New feature.
01-30005-0015-20070803 487
ssl web bookmarks-group
Use this command to define a group of bookmarks to associate to an SSL VPN user group.
conf i g vpn ssl web bookmar ks- gr oup
edi t <bkmar k_gr oupname>
set bookmar ks <bookmar k_names>
end
Example
The following command creates a bookmark group that includes the bookmark to the corporate
Intranet home page at www.example.com named Company_i nt r anet and a link to the Google
search site named Googl e_si t e:
conf i g vpn ssl web bookmar ks- gr oup
edi t <bkmar k_gr oupname>
set Company_i nt r anet Googl e_si t e
end
Command history
Related topics
vpn ssl settings
edi t <bkmar k_gr oupname> Enter the name of the bookmark group. No default.
bookmar ks <bookmar k_names> Enter the list of bookmarks to include in the bookmark
group. Enclose the bookmark name in quotation marks,
and separate each bookmark in the list with a space.
No default.
FortiOS v3.0 MR5 New
488 01-30005-0015-20070803
ssl web favorite vpn
ssl web favorite
Use this command to define one or more bookmarks for an SSL VPN user. A bookmark is associated
with a service and an application server. The bookmarks that you define are displayed in the My
Bookmarks section of the users web portal page. Users can select the associated hyperlink to initiate
a session with the target server application.
conf i g vpn ssl web f avor i t e
edi t <bookmar k_name>
set appt ype <ser vi ce_t ype>
set f ol der <f ol der _name>
set gr oup <gr oup_name>
set host <host _name>
set t i t l e <di spl ay_t ext >
set ur l <t ar get _i p>
set user <user _name>
end
If a bookmark is created by the user through the web portal page, the value for bookmar k_name is
automatically generated (<user >+<t i mest amp>+<gr oup>). The text string in t i t l e is displayed as
the hyperlink in the My Bookmarks list.
If a bookmark is created in the CLI, there must be values assigned to the user and gr oup variables to
link the bookmark to a user in an SSL VPN user group, and a text string in t i t l e to display as the
hyperlink in the My Bookmarks list.
appt ype <ser vi ce_t ype> Enter the identifier of the service to associate with the
bookmark:
Type f t p for FTP services.
Type r dp for Windows Terminal services.
Type smb for SMB/CIFS (Windows file share) services.
Type ssh for SSH services.
Type t el net for telnet services.
Type vnc for VNC services.
Type web for HTTP and/or HTTPS services.
web
f ol der <f ol der _name> Enter the remote folder name, if appt ype is smb or f t p.
The folder name must include the server name,
/ / 172. 20. 120. 103/ myf ol der , for example.
No default.
gr oup <gr oup_name> Enter the SSL VPN user group name. No default.
host <host _name> Enter the host name, if appt ype is t el net or r dp. No default.
t i t l e <di spl ay_t ext > Enter a text string to display as the hyperlink on the users web
portal page. Enclose the string in quotation marks if it contains
spaces.
User entries are automatically named <user>+<timestamp>.
No default.
ur l <t ar get _i p> Enter the URL of the web page, if appt ype is web. No default.
user <user _name> Enter the user name from the SSL VPN user group. No default.
01-30005-0015-20070803 489
Example
The following command creates a bookmark to the corporate Intranet home page at
www.example.com for the user j user who is a member of the SSL VPN user group ssl user gr oup:
conf i g vpn ssl web f avor i t e
edi t Company_i nt r anet
set appt ype web
set t i t l e " Company Home Page"
set ur l ht t p: / / www. exampl e. com
set gr oup ssl user gr oup
set user j user
end
Command history
Related topics
vpn ssl settings
FortiOS v3.0 New
FortiOS v3.0 MR4 Updated description of key words, incorporated variables from new commands conf i g
vpn ssl web bookmar ks and conf i g vpn ssl web bookmar ks- gr oup. .
490 01-30005-0015-20070803
ssl web favorite vpn
webfilter
01-30005-0015-20070803 491
webfilter
Use webfilter commands to add banned words to the banned word list, filter URLs, and configure
FortiGuard-Web category filtering.
bword
exmword
fortiguard
ftgd-local-cat
ftgd-local-rating
ftgd-ovrd
urlfilter
492 01-30005-0015-20070803
bword webfilter
bword
Control web content by blocking specific words or patterns. If enabled in the protection profile, the
FortiGate unit searches for words or patterns on requested web pages. If matches are found, values
assigned to the words are totalled. If a user-defined threshold value is exceeded, the web page is
blocked.
Use this command to add or edit and configure options for the Web content block list. Banned words
can be one word or a text string up to 80 characters long. The maximum number of banned words and
patterns in the list is 5000.
When a single word is entered, the FortiGate unit checks Web pages for that word. Add phrases by
enclosing the phrase in single quotes. When a phrase is entered, the FortiGate unit checks Web
pages for any word in the phrase. Add exact phrases by enclosing the phrases in quotation marks. If
the phrase is enclosed in quotation marks, the FortiGate checks Web pages for the exact phrase.
Create banned word patterns using wildcards or Perl regular expressions. See Using Perl regular
expressions on page 47.
You can add multiple banned word lists, and then select the best web content block list for each
protection profile. Choose the command syntax list below according to your FortiGate unit model.
conf i g webf i l t er bwor d
edi t <banned_wor d_l i st _i nt eger >
set name <banned_wor d_l i st >
set comment <banned_wor d_l i st _comment >
conf i g ent r i es
edi t <wor d_st r >
set l ang {f r ench | j apanese | kor ean | si mch | t hai | t r ach |
west er n}
set scor e 
end
C
Note: Perl regular expression patterns are case sensitive for Web Filter content block. To make a word or phrase
case insensitive, use the regular expression / i . For example, / bad l anguage/ i blocks all instances of bad
l anguage regardless of case. Wildcard patterns are not case sensitive.
<banned_wor d_l i st _i nt eger > A unique number to identify the banned word list.
<banned_wor d_l i st > The name of the banned word list.
<banned_wor d_l i st _comment > The comment attached to the banned word list.
<wor d_st r > The word to be blocked.
l ang {f r ench | j apanese |
kor ean | si mch | t hai |
t r ach | west er n}
Enter the language character set used for the banned word or
west er n
pat t er n- t ype
Set the pattern type for the banned word. Choose from r egexp
or wi l dcar d.Create patterns for banned words using Perl
regular expressions or wildcards.
wi l dcar d
webfilter bword
01-30005-0015-20070803 493
Command history
Related topics
exmword
webfilter fortiguard
webfilter ftgd-local-cat
webfilter ftgd-local-rating
webfilter ftgd-ovrd
webfilter urlfilter
scor e A numerical weighting applied to the banned word. The score
values of all the matching words appearing on a web page are
added, and if the total is greater than the webwor dt hr eshol d
value set in the protection profile, the page is processed
according to whether the bannedwor d option is set with the
ht t p command in the protection profile. The score for a
banned word is counted once even if the word appears multiple
times on the web page.
10
st at us {enabl e | di sabl e} Enable or disable the banned word. di sabl e
FortiOS v3.0 Added scor e variable. Added multiple-list capability for models 800 and
above. Minor changes.
FortiOS v3.0
MR4
494 01-30005-0015-20070803
exmword webfilter
exmword
Web content exempt allows overriding of the web content block feature. If any patterns defined in the
web content exempt list appear on a web page, the page will not be blocked even if the web content
block feature would otherwise block it.
Use this command to add or edit and configure options for the Web content exempt list. Exempt words
can be one word or a text string up to 80 characters long. The maximum number of exempt words and
patterns in the list is 5000.
When a single word is entered, the FortiGate unit checks Web pages for that word. Add phrases by
enclosing the phrase in single quotes. When a phrase is entered, the FortiGate unit checks Web
pages for any word in the phrase. Add exact phrases by enclosing the phrases in quotation marks. If
the phrase is enclosed in quotation marks, the FortiGate checks Web pages for the exact phrase.
Create exempt word patterns using wildcards or Perl regular expressions. See Using Perl regular
expressions on page 47.
You can add multiple exempt word lists, and then select the best web content exempt list for each
protection profile. Choose the command syntax list below according to your FortiGate unit model.
conf i g webf i l t er exmwor d
edi t <exempt _wor d_l i st _i nt eger >
set name <exempt _wor d_l i st >
set comment <exempt _wor d_l i st _comment >
conf i g ent r i es
edi t <wor d_st r >
set l ang {f r ench | j apanese | kor ean | si mch | t hai | t r ach |
west er n}
end
Note: Perl regular expression patterns are case sensitive for Web Filter content exempt. To make a word or
phrase case insensitive, use the regular expression / i . For example, / good l anguage/ i exempts all instances
of good l anguage regardless of case. Wildcard patterns are not case sensitive.
<exempt _wor d_l i st _i nt eger > A unique number to identify the exempt word list.
<exempt _wor d_l i st > The name of the exempt word list.
<exempt _wor d_l i st _comment > The comment attached to the exempt word list.
<wor d_st r > The word to be exempted.
l ang {f r ench | j apanese |
kor ean | si mch | t hai |
t r ach | west er n}
Enter the language character set used for the exempt word or
west er n
pat t er n- t ype
Set the pattern type for the exempt word. Choose from r egexp
or wi l dcar d.Create patterns for exempt words using Perl
regular expressions or wildcards.
wi l dcar d
st at us {enabl e | di sabl e} Enable or disable the exempt word. di sabl e
webfilter exmword
01-30005-0015-20070803 495
Command history
Related topics
bword
webfilter ftgd-ovrd
webfilter urlfilter
FortiOS v3.0
MR2
New.
FortiOS v3.0
MR4
496 01-30005-0015-20070803
fortiguard webfilter
fortiguard
Use this command to enable Web filtering by specific categories using FortiGuard-Web URL filtering.
FortiGuard-Web category blocking
FortiGuard-Web is a web filtering solution provided by Fortinet. FortiGuard-Web sorts thousands of
Web pages into a wide variety of categories that users can allow, block, or monitor. Categories are also
organized into broader groups to make configuration fast and easy. The FortiGate unit accesses the
nearest FortiGuard-Web server to determine the category of a requested web page and then follows
the firewall policy configured for that user or interface. FortiGuard-Web servers are located worldwide.
FortiGuard-Web licensing
Every FortiGate unit comes with a free 30 day FortiGuard-Web trial license. FortiGuard-Web license
management is done by the FortiGuard-Web server, so there is no need to enter a license number.
The FortiGate unit automatically contacts the FortiGuard-Web servers when FortiGuard-Web category
blocking is enabled.
To renew the FortiGuard-Web license after the free trial, contact Fortinet Technical Support.
FortiGuard-Web configuration
Once enabled, FortiGuard-Web category block settings apply globally. After enabling FortiGuard-Web,
configure different categories for each firewall protection profile create.
See firewall profile on page 101 to configure FortiGuard-Web category blocking in a protection
profile.
See FortiGuard-Web categories in the FortiGate Administration Guide for a complete list and
description of the FortiGuard-Web web filter categories.
HTTP and HTTPS FortiGuard override traffic
The FortiGuard override for HTTP and HTTPS is no longer a single global forward rule. Instead, a
separate rule is created for each protection profile to redirect both the FortiGuard override HTTP and
HTTPS ports, as required, into the authentication daemon. This ensures that these ports only appear
open when the appropriate options are enabled in the profile. A matrix of how the profile options affect
the port status follows:
Table 17: Port status in different profiles
HTTP WF HTTP ovrd HTTPS WF ovrd via HTTPS HTTP Port HTTPS Port
0 0 0 0 closed closed
0 0 1 0 closed open
0 0 1 1 closed open
0 1 1 0 closed open
0 1 1 1 closed open
1 0 0 0 open closed
1 0 0 1 open closed
1 0 1 0 open open
01-30005-0015-20070803 497
There are two separate ports for HTTP and HTTPS override traffic which can be configured
independently.
In addition, HTTPS uses the HTTPS override form regardless of the ovr d- aut h- ht t ps status. If
ovr d- aut h- ht t ps is enabled, any attempts to use the HTTP version of the override form will
transparently be re-directed to the HTTPS version.
conf i g webf i l t er f or t i guar d
set cache- mode {t t l | db- ver }
set cache- mem- per cent <per cent _i nt eger >
set ovr d- aut h- por t - ht t p <por t _i nt eger >
set ovr d- aut h- ht t ps <enabl e | di sabl e>
set ovr d- aut h- por t - ht t ps <por t _i nt eger >
set cache- pr ef i x- mat ch <enabl e | di sabl e>
end
1 0 1 1 open open
1 1 0 0 open closed
1 1 0 1 open open
1 1 1 0 open open
1 1 1 1 open open
cache- mode {t t l | db- ver } Change the cache entry expiration mode. Choices
are t t l or db- ver .
Using t t l , cache entries are deleted after a number
of seconds determined by the cache- t t l setting, or
until newer cache entries force the removal of older
ones.
When set to db- ver , cache entries are kept until the
FortiGuard database changes, or until newer cache
entries force the removal of older ones.
t t l
cache- mem- per cent
<per cent _i nt eger >
Change the maximum percentage of memory the
cache will use. Enter a value from 1 to 15 percent.
2
ovr d- aut h- por t - ht t p
<por t _i nt eger >
The port to use for FortiGuard Web Filter HTTP
override authentication.
8008
ovr d- aut h- ht t ps
<enabl e | di sabl e>
Enable to use HTTPS for override authentication. di sabl e
ovr d- aut h- por t - ht t ps
<por t _i nt eger >
The port to use for FortiGuard Web filtering HTTPS
override authentication.
8010
cache- pr ef i x- mat ch
<enabl e | di sabl e>
Enable and disable prefix matching.
If enabled the FortiGate unit attempts to match a
packet against the rules in a prefix list starting at the
top of the list.
For information on prefix lists see the section prefix-
list on page 242 of the Router chapter in the FortiOS
CLI Guide.
enabl e
Table 17: Port status in different profiles
498 01-30005-0015-20070803
fortiguard webfilter
Command history
Related topics
webfilter bword
webfilter ftgd-ovrd
webfilter urlfilter
FortiOS v2.80 New.
FortiOS v2.80 MR2 Added cer b_host name, cer b_por t , f t gd_host name, and, f t gd_por t keywords.
Changed l i cense to cer b_l i cense.
FortiOS v2.80 MR4 Removed cer b_host name, cer b_l i cense, and, cer b_por t keywords.
Removed f t gd_por t keyword.
FortiOS v3.0 Add cache- mode, cache- mem- per cent , l i cense, expi r at i on, host name,
i mg- si nk- i p, ovr d- aut h- por t , ovr d- aut h- ht t ps, and, por t . Removed
f t gd_host name, and, ser vi ce.
Name changed from catblock to fortiguard.
FortiOS v3.0 MR1 Many of the commands were moved to config system fortiguard and some new
commands were added.
FortiOS v3.0 MR3 cache- pr ef i x- mat ch <enabl e | di sabl e>command added.
FortiOS v3.0 MR4 Removed the command ovr d- aut h- por t replaced with ovr d- aut h- por t - ht t p.
Added the command ovr d- aut h- por t - ht t ps.
Added new H3 section on HTTP and HTTPS FortiGuard override traffic.
FortiOS v3.0 MR4 Removed the command i mg- si nk- i p.
01-30005-0015-20070803 499
ftgd-local-cat
Use this command to add local categories to the global URL category list. The categories defined here
appear in the global URL category list when configuring a protection profile. Users can rate URLs
based on the local categories.
conf i g webf i l t er f t gd- l ocal - cat
edi t <l ocal _cat _st r >
set i d 
end
Example
This example shows how to add the category l ocal _bl ock with an ID of 10.
conf i g webf i l t er f t gd- l ocal - cat
edi t l ocal _bl ock
set i d 10
end
Command history
Related topics
webfilter bword
webfilter ftgd-ovrd
webfilter urlfilter
<l ocal _cat _st r > The description of the local category.
i d The local category unique ID number. 0
FortiOS v3.0 New
500 01-30005-0015-20070803
ftgd-local-rating webfilter
ftgd-local-rating
Use this command to rate URLs using local categories.
Users can create user-defined categories then specify the URLs that belong to the category. This
allows users to block groups of web sites on a per profile basis. The ratings are included in the global
URL list with associated categories and compared in the same way the URL block list is processed.
The user can also specify whether the local rating is used in conjunction with the FortiGuard rating or is
used as an override.
conf i g webf i l t er f t gd- l ocal - r at i ng
edi t <l ocal _ur l _st r >
set r at i ng [ [ <cat egor y_i nt eger >] [ gr oup_st r ] [ cl ass_st r ] . . . ]
end
Example
This example shows how to configure a local rating for the web site www.example.com. with a rating
including category 12, all categories in group 4, and classification 1.
conf i g webf i l t er f t gd- l ocal - r at i ng
edi t www. exampl e. com
set r at i ng 12 g4 c1
end
Command history
Related topics
webfilter bword
webfilter ftgd-ovrd
webfilter urlfilter
<l ocal _ur l _st r > The URL being rated.
r at i ng
[ [ <cat egor y_i nt eger >]
[ gr oup_st r ]
[ cl ass_st r ] . . . ]
Set categories, groups, and classifications for the rating. Enter
? to print a list of category codes and descriptions available. To
remove categories from the rating, use the unset command.
st at us {enabl e | di sabl e} Enable or disable the local rating. enabl e
FortiOS v3.0 New
webfilter ftgd-ovrd
01-30005-0015-20070803 501
ftgd-ovrd
Use this command to configure FortiGuard-Web filtering overrides.
Users may require access to web sites that are blocked by a policy. In this case, an administrator can
give the user the ability to override the block for a specified period of time.
When a user attempts to access a blocked site, if override is enabled, a link appears on the block page
directing the user to an authentication form. The user must provide a correct user name and password
or the web site remains blocked. Authentication is based on user groups and can be performed for
local, RADIUS, and LDAP users.
conf i g webf i l t er f t gd- ovr d
edi t <over r i de_i nt eger >
set expi r es
set ext - r ef <al l ow | deny>
set i p 
set pr of i l e <pr of i l e_st r >
set r at i ng [ [ <cat egor y_i nt eger >] [ gr oup_st r ] [ cl ass_st r ] . . . ]
set scope {user | user - gr oup | i p | pr of i l e}
set t ype {di r | domai n | r at i ng}
set ur l <ur l _st r >
set user <user _st r >
set user - gr oup <user _gr oup_st r >
end
get webf i l t er f t gd- ovr d <over r i de_i nt eger >
<over r i de_i nt eger > The unique ID number of the override.
expi r es The date and time the override expires.
ext - r ef <al l ow | deny> Allow or deny access to off-site URLs. al l ow
i ni t i at or The user who initiated the override rule. This keyword is get-
only.
i p When the scope is IP, the IP address for which the override rule
applies.
0. 0. 0. 0
pr of i l e <pr of i l e_st r > When the scope is profile, the profile for which the override rule
applies.
r at i ng
[ [ <cat egor y_i nt eger >]
[ gr oup_st r ]
[ cl ass_st r ] . . . ]
Set categories, groups, and classifications for the rating. Enter
? to print a list of category codes and descriptions available. To
remove categories from the rating, use the unset command.
scope {user | user - gr oup
| i p | pr of i l e}
The scope of the override rule. user
st at us {enabl e | di sabl e} Enable or disable the override rule. di sabl e
t ype {di r | domai n |
r at i ng}
Specify the type od override rule.
dir - override the website directory
domain - override the domain
rating - override the specified categories and classifications
di r
ur l <ur l _st r > The URL for which the override rule applies.
502 01-30005-0015-20070803
ftgd-ovrd webfilter
Example
This example shows how to set an override (13).
conf i g webf i l t er f t gd- ovr d
edi t 13
set r at i ng 12 g4 c1
end
Use the following command to get information about an override.
get webf i l t er f t gd- ovr d 1
i d : 1
expi r es : Wed J ul 6 07: 00: 30 2005
ext _r ef : al l ow
i ni t i at or : admi n
scope : user
st at us : enabl e
t ype : di r
ur l : 192. 168. 2201. 23
user : user _1
Command history
Related topics
webfilter bword
webfilter urlfilter
user <user _st r > When the scope is user , the user for which the override rule
applies.
user - gr oup
<user _gr oup_st r >
When the scope is user group, the user group for which the
override rule applies.
FortiOS v3.0 New
webfilter urlfilter
01-30005-0015-20070803 503
urlfilter
Use this command to control access to specific URLs by adding them to the URL filter list. The
FortiGate unit exempts or blocks Web pages matching any specified URLs and displays a replacement
message instead.
Configure the FortiGate unit to allow, block, or exempt all pages on a website by adding the top-level
URL or IP address and setting the action to allow, block, or exempt.
Block individual pages on a website by including the full path and filename of the web page to block.
Type a top-level URL or IP address to block access to all pages on a website. For example,
www. exampl e. comor 172. 16. 144. 155 blocks access to all pages at this website.
Type a top-level URL followed by the path and filename to block access to a single page on a website.
For example, www. exampl e. com/ news. ht ml or 172. 16. 144. 155/ news. ht ml blocks the news
page on this website.
To block all pages with a URL that ends with exampl e. com, add exampl e. comto the block list. For
example, adding exampl e. comblocks access to www. exampl e. com, mai l . exampl e. com,
www. f i nance. exampl e. com, and so on.
Use this command to exempt or block all URLs matching patterns created using text and regular
expressions (or wildcard characters). For example, exampl e. * matches exampl e. com,
exampl e. or g, exampl e. net and so on. The FortiGate unit exempts or blocks Web pages that
match any configured pattern and displays a replacement message instead.
The maximum number of entries in the list is 5000.
conf i g webf i l t er ur l f i l t er
edi t <ur l _f i l t er _l i st _i nt eger >
set name <ur l f i l t er _l i st >
set comment <ur l f i l t er _l i st _comment >
conf i g ent r i es
edi t <ur l _st r >
set act i on {al l ow | bl ock | exempt }
set t ype {si mpl e | r egex}
end
end
<ur l _f i l t er _l i st _i nt eger > A unique number to identify the URL filter list.
<ur l f i l t er _l i st > The name of the URL filter list.
<ur l f i l t er _l i st _comment > The comment attached to the URL filter list.
<ur l _st r > The URL to added to the list.
act i on
{al l ow | bl ock | exempt }
The action to take for matches.
An allow match exits the URL filter list and checks the
other web filters.
An exempt match stops all further checking including AV
scanning.
A block match blocks the URL and no further checking
will be done.
exempt
st at us {enabl e | di sabl e} The status of the filter. enabl e
t ype {si mpl e | r egex} The type of URL filter: simple or regular expression. si mpl e
504 01-30005-0015-20070803
urlfilter webfilter
Command history
Related topics
webfilter bword
webfilter ftgd-ovrd
FortiOS v3.0 New
FortiOS v3.0
MR4
execute
01-30005-0015-20070803 505
execute
The execute commands perform immediate operations on the FortiGate unit. You can:
Back up and restore the system configuration, or reset the unit to factory settings.
Execute the run but not save feature
Set the unit date and time.
View and clear DHCP leases.
Clear arp table entries.
View and delete log messages. Delete old log files.
Manually dial or hang up the modem (models 50A, 50AM, 60, 60M only).
Use ping or traceroute to diagnose network problems.
Restart the router or the entire FortiGate unit.
Update the antivirus and attack definitions on demand.
Generate certificate requests and install certificates for VPN authentication.
backup
batch
cfg reload
cfg save
clear system arp table
cli
date
deploy
dhcp lease-clear
dhcp lease-list
disconnect-admin-session
factoryreset
formatlogdisk
fortiguard-log delete
fortiguard-log update
fsae refresh
ha disconnect
ha manage
ha synchronize
interface dhcpclient-renew
interface pppoe-reconnect
log delete-all
log delete-filtered
log delete-rolled
log display
log filter
log fortianalzyer test-connectivity
log list
log roll
log stats display
log stats reset
modem dial
modem hangup
mrouter clear
ping
ping-options
ping6
reboot
restore
router clear bgp
router clear bfd
router clear ospf process
router restart
set-next-reboot
shutdown
ssh
telnet
time
traceroute
update-av
update-ips
update-now
upd-vd-license
usb-disk
vpn certificate ca
vpn certificate crl
vpn sslvpn del-tunnel
vpn sslvpn del-web
506 01-30005-0015-20070803
backup execute
backup
Back up the FortiGate configuration files, logs, or IPS user-defined signatures file to a TFTP server,
USB disk, or a management station. Management stations can be either a FortiManager unit, or
Central Management service. For more information see system fm on page 318 or system
fortiguard on page 322.
When virtual domain configuration is enabled (in syst emgl obal , vdom- admi n is enabled), the
content of the backup file depends on the administrator account that created it.
A backup of the system configuration from the super admin account contains the global settings
and the settings for all of the VDOMs. Only the super admin can restore the configuration from this
file.
When you back up the system configuration from a regular administrator account, the backup file
contains the global settings and the settings for the VDOM to which the administrator belongs. Only
a regular administrator account can restore the configuration from this file.
Command syntax
execut e backup {di sk | memor y} al l l ogs <t f t p_i pv4>
execut e backup {di sk | memor y} l og <t f t p_i pv4> <l og_t ype>
execut e backup conf i g management - st at i on <comment >
execut e backup conf i g t f t p <f i l ename> <t f t p_i pv4> [ <passwor d>]
execut e backup conf i g usb <f i l ename> [ <passwor d>]
execut e backup f ul l - conf i g t f t p <f i l ename> <t f t p_i pv4> [ <passwor d>]
execut e backup f ul l - conf i g usb <f i l ename> [ <passwor d>]
execut e backup i psuser def si g <f i l ename> <t f t p_i pv4>
Keywords and variables Description
{di sk | memor y} al l l ogs <t f t p_i pv4> Back up either all memory or all hard disklog files for this
VDOM to a TFTP server. This command is effective only
on models that log to a hard disk. The file name has the
form: <log_file_name>_<VDOM>_<date>_<time>
{di sk | memor y} l og <t f t p_i pv4>
<l og_t ype>
Back up the selected type of log file from either hard disk
or memory to a TFTP server.
<log_type>can be one of:
t r af f i c
event
i ds
vi r us
webf i l t er
spam
i m
conf i g management - st at i on <comment > Back up the system configuration to a configured
management station.
conf i g t f t p <f i l ename> <t f t p_i pv4>
[ <passwor d>]
Back up the system configuration to a file on a TFTP
server. Optionally, you can specify a password to protect
the saved data.
conf i g usb <f i l ename> [ <passwor d>] Back up the system configuration to a file on a USB disk.
Optionally, you can specify a password to protect the
saved data.
f ul l - conf i g t f t p <f i l ename>
<t f t p_i pv4> [ <passwor d>]
Back up the full system configuration to a file on a TFTP
server. Optionally, you can specify a password to protect
the saved data.
execute backup
01-30005-0015-20070803 507
Example
This example shows how to backup the FortiGate unit system configuration to a file named f gt . cf g
on a TFTP server at IP address 192.168.1.23.
execut e backup conf i g t f t p f gt . cf g 192. 168. 1. 23
Command history
Related topics
execute restore
ips custom
f ul l - conf i g usb <f i l ename>
[ <passwor d>]
Back up the full system configuration to a file on a USB
disk. Optionally, you can specify a password to protect
the saved data.
i psuser def si g <f i l ename> <t f t p_i pv4> Back up IPS user-defined signatures to a file on a TFTP
server.
FortiOS v3.0 Added USB backup options.
FortiOS v3.0 MR1 Changed backup l og from <f i l ename> <t f t p_i pv4>to <t f t p_i pv4>
<l og0_t ype>.
FortiOS v3.0 MR3 log and al l l ogs now refer to either di sk or memor y as selected.
FortiOS v3.0 MR4 Added f ul l - conf i g t f t p and f ul l - conf i g usb.
FortiOS v3.0 MR5 Added conf i g management - st at i on.
508 01-30005-0015-20070803
batch execute
batch
Execute a series of CLI commands.
Command syntax
execut e bat ch [ <cmd_cue>]
where <cmd_cue>is one of:
end - exit session and run the batch commands
l ast l og - read the result of the last batch commands
st ar t - start batch mode
st at us - batch mode status reporting if batch mode is running or stopped
Example
To start batch mode:
execut e bat ch st ar t
Ent er bat ch mode. . .
To enter commands to run in batch mode:
set r ef r esh 5
end
To execute the batch commands:
execut e bat ch end
Exi t and r un bat ch commands. . .
Command history
Note: execut e bat ch commands are controlled by the Maintenance (mnt gr p) access
control group.
FortiOS v3.0 MR4 Control of execut e bat ch commands in Maintenance (mnt gr p) access control
group.
FortiOS v3.0 MR5 Added l ast l og.
execute cfg reload
01-30005-0015-20070803 509
cfg reload
Use this command to restore the saved configuration when the configuration change mode is manual
or r ever t . This command has no effect if the mode is aut omat i c, the default. The set cf g- save
command in syst emgl obal sets the configuration change mode.
When you reload the saved system configuration, the your session ends and the FortiGate unit
restarts.
In the default configuration change mode, aut omat i c, CLI commands become part of the saved unit
configuration when you execute them by entering either next or end.
In manual mode, commands take effect but do not become part of the saved configuration unless you
execute the execut e cf g save command. When the FortiGate unit restarts, the saved
configuration is loaded. Configuration changes that were not saved are lost.
The r ever t mode is similar to manual mode, except that configuration changes are saved
automatically if the administrative session is idle for more than a specified timeout period. This
provides a way to recover from an erroneous configuration change, such as changing the IP address
of the interface you are using for administration. You set the timeout in syst emgl obal using the
set cf g- r ever t - t i meout command.
Command syntax
execut e cf g r el oad
Example
This is sample output from the command when successful:
# exec cf g r el oad
conf i gs r el oaded. syst emwi l l r eboot . Thi s i s sampl e out put f r omt he
command when not i n r unt i me- onl y conf i gur at i on mode:
# exec cf g r el oad
no conf i g t o be r el oaded.
Command history
Related topics
execute cfg save
system global
510 01-30005-0015-20070803
cfg save execute
cfg save
Use this command to save configuration changes when the configuration change mode is manual or
r ever t . If the mode is aut omat i c, the default, all changes are added to the saved configuration as
you make them and this command has no effect. The set cf g- save command in syst emgl obal
sets the configuration change mode.
In manual mode, commands take effect but do not become part of the saved configuration unless you
execute the execut e cf g save command. When the FortiGate unit restarts, the saved configuration
is loaded. Configuration changes that were not saved are lost.
The r ever t mode is similar to manual mode, except that configuration changes are saved
automatically if the administrative session is idle for more than a specified timeout period. This
provides a way to recover from an erroneous configuration change, such as changing the IP address
of the interface you are using for administration. To change the timeout from the default of 600
seconds, go to syst emgl obal and use the set cf g- r ever t - t i meout command.
Command syntax
execut e cf g save
Example
This is sample output from the command:
# exec cf g save
conf i g saved.
This is sample output when not in runtime-only configuration mode. It also occurs when in runtime-only
configuration mode and no changes have been made:
# exec cf g save
no conf i g t o be saved.
Command history
Related topics
execute cfg reload
system global
execute clear system arp table
01-30005-0015-20070803 511
Clear all the entries in the arp table.
Command syntax
exec cl ear syst emar p t abl e
Command history
Related topics
execute router restart
get system arp
512 01-30005-0015-20070803
cli execute
cli
Enable standardized CLI error output messages. If executed, this command stops other debug
messages from displaying in the current CLI session.
Command syntax
exec cl i st at us- msg- onl y <enabl e | di sabl e>
The message format is:
[ er r or code] : t ext message
There are three error categories: OK, Keyword Error, and Data Error. The error code provides details
about the type of error.
An OK message [ 00000] indicates that the command has been accepted. An ERROR message
indicates that the command generated an error. A Keyword Error [ 1000x] indicates that the keyword
is not supported, or the attempted command is not recognized. A Data Error [ 2000x] indicates that
the data source is already in use.
Command history
st at us- msg- onl y <enabl e |
di sabl e>
Enables standardized CLI error output messages.
execute date
01-30005-0015-20070803 513
date
Get or set the system date.
Command syntax
execut e dat e [ <dat e_st r >]
dat e_st r has the form yyyy- mm- dd, where
yyyy is the year and can be 2001 to 2037
mmis the month and can be 01 to 12
dd is the day of the month and can be 01 to 31
If you do not specify a date, the command returns the current system date. Shortened values, such as
06 instead of 2006 for the year or 1 instead of 01 for month or day, are not valid.
Example
This example sets the date to 17 September 2004:
execut e dat e 2004- 09- 17
Command history
Related topics
execute time
FortiOS v3.0 MR1 <dat e_st r >changed from mm/dd/yyyy format.
514 01-30005-0015-20070803
deploy execute
deploy
Configure deploy mode.
This command is used by FortiManager.
Command syntax
execut e depl oy st ar t cmd
execut e depl oy conf i r m<conf i r m_code>
execut e depl oy end
Command history
st ar t cmd Put the FortiGate unit into deploy mode.
conf i r m<conf i r m_code> Enter the confirmation string for this deployment.
end End deployment mode and activate the actual deployment.
The deployment code is displayed, and you will be prompted before this
command is executed.
execute dhcp lease-clear
01-30005-0015-20070803 515
dhcp lease-clear
Clear all DHCP address leases.
Command syntax
Command history
Related topics
execute dhcp lease-list
system dhcp server
FortiOS v3.0 Command name changed from execut e dhcpcl ear .
516 01-30005-0015-20070803
dhcp lease-list execute
dhcp lease-list
Display DHCP leases on a given interface
Command syntax
execut e dhcp l ease- l i st [ i nt er f ace_name]
If you specify an interface, the command lists only the leases issued on that interface. Otherwise, the
list includes all leases issued by DHCP servers on the FortiGate unit.
If there are no DHCP leases in user on the FortiGate unit, an error will be returned.
Command history
Related topics
execute deploy
system dhcp server
FortiOS v2.90 New.
execute disconnect-admin-session
01-30005-0015-20070803 517
disconnect-admin-session
Disconnect an administrator who is logged in.
execut e di sconnect - admi n- sessi on 
To determine the index of the administrator that you want to disconnect, view the list of logged-in
administrators by using the following command:
execut e di sconnect - admi n- sessi on ?
The list of logged-in administrators looks like this:
Connect ed:
I NDEX USERNAME TYPE FROM TI ME
0 admi n WEB 172. 20. 120. 51 Mon Aug 14 12: 57: 23 2006
1 admi n2 CLI ssh( 172. 20. 120. 54) Mon Aug 14 12: 57: 23 2006
Example
This example shows how to disconnect a logged in administrator.
execut e di sconnect - admi n- sessi on 1
Command history
Related topics
system mac-address-table
get system info admin status
FortiOS v2.90 New.
FortiOS v3.0 MR3 Changed execut e di sconnect to execut e di sconnect -
admi n- sessi on . Deleted get syst eml ogged- user s reference.
518 01-30005-0015-20070803
factoryreset execute
factoryreset
Reset the FortiGate configuration to factory default settings.
Command syntax
Command history
Related topics
execute backup
execute reboot
!
Caution: This procedure deletes all changes that you have made to the FortiGate configuration and reverts the
system to its original configuration, including resetting interface addresses.
FortiOS v2.80 No changes.
execute formatlogdisk
01-30005-0015-20070803 519
formatlogdisk
Format the FortiGate hard disk to enhance performance for logging.
Command syntax
Command history
!
Caution: This operation will erase all quarantine files and logging data on the hard disk.
FortiOS v2.80 No change.
520 01-30005-0015-20070803
fortiguard-log delete execute
Delete old FortiGuard log files.
Command syntax
execut e f or t i guar d- l og del et e <age>
where <age>is in seconds. All log files older than <age>are deleted.
Command history
Related topics
system fortiguard
execute fortiguard-log update
01-30005-0015-20070803 521
Update the FortiGuard Log and Analysis contract.
Command syntax
execut e f or t i guar d- l og updat e
Command history
Related topics
system fortiguard
522 01-30005-0015-20070803
fsae refresh execute
fsae refresh
Use this command to manually refresh user group information from Windows AD servers connected to
the FortiGate unit using the Fortinet Server Authentication Extensions (FSAE).
Command syntax
Command history
Related topics
user fsae
FortiOS v3.0 New.
execute ha disconnect
01-30005-0015-20070803 523
ha disconnect
Use this command to disconnect a FortiGate unit from a functioning cluster. You must specify the serial
number of the unit to be disconnected. You must also specify an interface name and assign an IP
address and netmask to this interface of the disconnected unit. You can disconnect any unit from the
cluster even the primary unit. After the unit is disconnected the cluster responds as if the disconnected
unit has failed. The cluster may renegotiate and may select a new primary unit.
To disconnect the unit from the cluster, the execut e ha di sconnect command sets the HA mode of
the disconnected unit to standalone. In addition, all interface IP addresses of the disconnected unit are
set to 0.0.0.0. The interface specified in the command is set to the IP address and netmask that you
specify in the command. In addition all management access to this interface is enabled. Once the
FortiGate unit is disconnected you can use SSH, telnet, HTTPS, or HTTP to connect to and manage
the FortiGate unit.
Command syntax
execut e ha di sconnect <cl ust er - member - ser i al _st r > 
<addr ess_i pv4> <addr ess_i pv4mask>
Example
This example shows how to disconnect a cluster unit with serial number FGT5002803033050. The
internal interface of the disconnected unit is set to IP address 1.1.1.1 and netmask 255.255.255.0.
execut e ha di sconnect FGT5002803033050 i nt er nal 1. 1. 1. 1 255. 255. 255. 0
Command history
Related topics
execute ha manage
execute ha synchronize
system ha
cl ust er - member - ser i al _st r The serial number of the cluster unit to be disconnected.
i nt er f ace_st r The name of the interface to configure. The command configures the IP
address and netmask for this interface and also enables all management
access for this interface.
FortiOS v3.0 New
524 01-30005-0015-20070803
ha manage execute
ha manage
Use this command from the CLI of a FortiGate unit in an HA cluster to log into the CLI of another unit in
the cluster. Usually you would use this command from the CLI of the primary unit to log into the CLI of
a subordinate unit. However, if you have logged into a subordinate unit CLI, you can use this command
to log into the primary unit CLI, or the CLI of another subordinate unit.
You can use CLI commands to manage the cluster unit that you have logged into. If you make changes
to the configuration of any cluster unit (primary or subordinate unit) these changes are synchronized to
all cluster units.
Command syntax
execut e ha manage <cl ust er - i ndex>
Example
This example shows how to log into a subordinate unit in a cluster of three FortiGate units. In this
example you have already logged into the primary unit. The primary unit has serial number
FGT3082103000056. The subordinate units have serial numbers FGT3012803021709 and
FGT3082103021989.
execut e ha manage ?
 pl ease i nput sl ave cl ust er i ndex.
<0> Subsi dar y uni t FGT3012803021709
Type 0 and press enter to connect to the subordinate unit with serial number FGT3012803021709. The
CLI prompt changes to the host name of this unit. To return to the primary unit, type exi t .
From the subordinate unit you can also use the execut e ha manage command to log into the
primary unit or into another subordinate unit. Enter the following command:
execut e ha manage ?
 pl ease i nput sl ave cl ust er i ndex.
Type 2 and press enter to log into the primary unit or type 1 and press enter to log into the other
subordinate unit. The CLI prompt changes to the host name of this unit.
cl ust er - i ndex The cluster index number of the cluster unit to log into. The first
subordinate unit has a cluster index of zero. If there are more subordinate
units their index numbers are 1, 2, and so on. The primary unit has the
highest index number. So in a cluster of three FortiGate units:
The first subordinate unit has a cluster index of 0
The second subordinate unit has a cluster index of 1
The primary unit has a cluster index of 2
Enter ? to list the cluster units that you can log into. The list does not show
the unit that you are already logged into.
execute ha manage
01-30005-0015-20070803 525
Command history
Related topics
system ha
FortiOS v2.80 Unchanged.
526 01-30005-0015-20070803
ha synchronize execute
ha synchronize
Use this command from a subordinate unit in an HA cluster to manually synchronize its configuration
with the primary unit. Using this command you can synchronize the following:
Configuration changes made to the primary unit (normal system configuration, firewall
configuration, VPN configuration and so on stored in the FortiGate configuration file),
Antivirus engine and antivirus definition updates received by the primary unit from the FortiGuard
Distribution Network (FDN),
IPS attack definition updates received by the primary unit from the FDN,
Web filter lists added to or changed on the primary unit,
Email filter lists added to or changed on the primary unit,
Certification Authority (CA) certificates added to the primary unit,
Local certificates added to the primary unit.
You can also use the st ar t and st op keywords to force the cluster to synchronize its configuration or
to stop a synchronization process that is in progress.
Command syntax
execut e ha synchr oni ze {conf i g| avupd| at t ackdef | webl i st s| emai l l i st s|
ca| l ocal cer t | al l | st ar t | st op}
Example
From the CLI of a subordinate unit, use the following commands to synchronize the antivirus and
attack definitions on the subordinate FortiGate unit with the primary unit after the FDN has pushed new
definitions to the primary unit.
execut e ha synchr oni ze avupd
execut e ha synchr oni ze at t ackdef
Command history
Variables Description
conf i g Synchronize the FortiGate configuration.
avupd Synchronize the antivirus engine and antivirus definitions.
at t ackdef Synchronize attack definitions.
webl i st s Synchronize web filter lists.
emai l l i st s Synchronize email filter lists.
ca Synchronize CA certificates.
l ocal cer t Synchronize local certificates.
al l Synchronize all of the above.
st ar t Start synchronizing the cluster configuration.
st op Stop the cluster from completing synchronizing its configuration.
FortiOS v2.80 MR6 Added st ar t and st op keywords.
01-30005-0015-20070803 527
Related topics
execute ha manage
system ha
528 01-30005-0015-20070803
interface dhcpclient-renew execute
Renew the DHCP client for the specified DHCP interface and close the CLI session. If there is no
DHCP connection on the specified port, there is no output.
Command syntax
execut e i nt er f ace dhcpcl i ent - r enew <por t >
Example
This is the output for renewing the DHCP client on port1 before the session closes:
# exec i nt er f ace dhcpcl i ent - r enew por t 1
r enewi ng dhcp l ease on por t 1
Command history
Related topics
execute deploy
execute dhcp lease-list
FortiOS v3.0 MR2 New. Replaces the old connect - enabl e command
execute interface pppoe-reconnect
01-30005-0015-20070803 529
Reconnect to the PPPoE service on the specified PPPoE interface and close the CLI session. If there
is no PPPoE connection on the specified port, there is no output.
Command syntax
execut e i nt er f ace pppoe- r econnect <por t >
Command history
Related topics
execute modem dial
execute modem hangup
FortiOS v3.0 MR2 New. Replaces the old connect - enabl e command
530 01-30005-0015-20070803
log delete-all execute
log delete-all
Use this command to clear all log entries in memory and current log files on hard disk. If your FortiGate
unit has no hard disk, only log entries in memory will be cleared. You will be prompted to confirm the
command.
Command syntax
Command history
Related topics
execute log delete-filtered
execute log delete-rolled
execute log display
execute log filter
execute log list
execute log stats display
execute log stats reset
FortiOS v3.0 New.
01-30005-0015-20070803 531
log delete-filtered
Use this command to delete log messages that match the current filter. You need to first set the log
filter with the execut e l og f i l t er <f i l t er >command.
Command syntax
Example
To delete all traffic logs, enter the following commands:
execut e l og f i l t er cat egor y t r af f i c
Command history
Related topics
execute log filter
execute log display
execute log list
FortiOS v2.90 New
FortiOS v3.0 MR2 No change.
532 01-30005-0015-20070803
log delete-rolled execute
log delete-rolled
Use this command to delete rolled log files.
Command syntax
execut e l og del et e- r ol l ed <cat egor y> <st ar t > [ <end>]
<cat egor y>must be one of: event , i ds, spam, t r af f i c, vi r us or webf i l t er . The <st ar t >
and <end>values represent the range of log files to delete. If <end>is not specified, only the
<st ar t > log number is deleted.
Example
To delete all of the rolled traffic log files, enter the following command:
execut e l og del et e- r ol l ed t r af f i c 1 9999
Command history
Related topics
execute log filter
execute log delete-all
Variable Description
<cat egor y> Enter the category of rolled log files that you want to delete:
event
i ds
spam
t r af f i c
vi r us
webf i l t er
<st ar t > Enter the number of the first log to delete. If you are deleting multiple rolled log files, you
must also enter a number for end.
<end> Enter the number of the last log to delete, if you are deleting multiple rolled log files.
FortiOS v2.90 New
execute log display
01-30005-0015-20070803 533
log display
Use this command to display log messages that you have selected with the execut e l og f i l t er
command.
Command syntax
The console displays the first 10 log messages. To view more messages, run the command again. You
can do this until you have seen all of the selected log messages. To restart viewing the list from the
beginning, use the commands
execut e l og f i l t er st ar t _i ndex 1
You can restore the log filters to their default values using the command
execut e l og f i l t er r eset
Command history
Related topics
execute log filter
FortiOS v2.90 New
534 01-30005-0015-20070803
log filter execute
log filter
Use this command to select log messages for viewing or deletion. You can view one log category on
one device at a time. Optionally, you can filter the messages to select only specified date ranges or
severities of log messages. For traffic logs, you can filter log messages by source or destination IP
address.
Commands are cumulative. If you omit a required variable, the command displays the current setting.
Command syntax
execut e l og f i l t er cat egor y <cat egor y_name>
execut e l og f i l t er devi ce {di sk | memor y}
execut e l og f i l t er f i el d act i on <act i on> [ act i on2 act i on3 . . ]
execut e l og f i l t er f i el d dat e <f r om_dat e> <t o_dat e> <negat e>
execut e l og f i l t er f i el d det ai l <st r i ng> [ st r i ng1 st r i ng2 . . . ]
execut e l og f i l t er f i el d l og_i d <l ogi d> [ l ogi d2 l ogi d3 . . . ]
execut e l og f i l t er f i el d msg <st r i ng> [ st r i ng2 st r i ng3 . . . ]
execut e l og f i l t er f i el d pr i <pr i or i t y> [ pr i or i t y2 pr i or i t y3 . . . ]
execut e l og f i l t er f i el d r eason <st r i ng> [ st r i ng1 st r i ng2 . . . ]
execut e l og f i l t er f i el d st at us <st r i ng> [ st r i ng1 st r i ng2 . . . ]
execut e l og f i l t er f i el d subt ype <subt ype> [ subt ype2 subt ype3 . . . ]
execut e l og f i l t er f i el d t i me <f r om_t i me> <t o_t i me> <negat e>
execut e l og f i l t er f i el d t ype <t ype> [ t ype2 t ype3 . . . ]
execut e l og f i l t er f i el d ui <st r i ng> [ st r i ng1 st r i ng2 . . . ]
execut e l og f i l t er f i el d user <user _i d> [ user _i d2 user _i d3 . . . ]
execut e l og f i l t er l i nes_per _vi ew <count >
execut e l og f i l t er l i st
execut e l og f i l t er r eset
execut e l og f i l t er r ol l ed_number <number >
execut e l og f i l t er st ar t _l i ne <l i ne_number >
Table 18: execute log filter command keywords and variables
cat egor y <cat egor y_name> Enter the type of log you want to select, one of:
event
ids
spam
traffic
virus
webfilter
event
devi ce {di sk | memor y} Device where the logs are stored. di sk
f i el d act i on <act i on>
[ act i on2 act i on3 . . ]
Filter according to action. You can specify up to five actions. No default.
f i el d dat e <f r om_dat e>
<t o_dat e> <negat e>
Filter according to date range. Specify dates in the format
yyyy- mm- dd. To exclude the date range, specify 1 for
negate. By default, negate is 0.
No default.
execute log filter
01-30005-0015-20070803 535
Use as many execut e l og f i l t er commands as you need to define the log messages that you
want to view.
Command history
Related topics
execute log display
f i el d det ai l <st r i ng>
[ st r i ng1 st r i ng2 . . . ]
Filter by log detail. You specify up to five strings to match in
the log details.
No default.
f i el d l og_i d <l ogi d>
[ l ogi d2 l ogi d3 . . . ]
Filter by log ID number. Enter one of more log IDs to match.
You can specify up to five log IDs.
No default.
f i el d msg <st r i ng>
[ st r i ng2 st r i ng3 . . . ]
Filter by log message content. You specify up to five strings
to match in the log message.
No default.
f i el d pr i <pr i or i t y>
[ pr i or i t y2 pr i or i t y3 . . . ]
Filter by priority. Priorities are: emergency, alert, critical,
error, warning, notice, information and debug. You can
specify up to five priority levels.
No default.
f i el d r eason <st r i ng>
[ st r i ng1 st r i ng2 . . . ]
Filter by reason. You can specify five strings to match in the
reason field.
No default.
f i el d st at us <st r i ng>
[ st r i ng1 st r i ng2 . . . ]
Filter by status. You can specify five strings to match in the
status field.
No default.
f i el d subt ype <subt ype>
[ subt ype2 subt ype3 . . . ]
Filter by logs by subtype. Subtypes depend on type. You
can specify up to five log subtypes.
No default.
f i el d t i me <f r om_t i me>
<t o_t i me> <negat e>
Filter according to time range. Specify times in the format
hh: mm: ss. To exclude the time range, specify 1 for negate.
By default, negate is 0.
No default.
f i el d t ype <t ype>
[ t ype2 t ype3 . . . ]
Filter by log type. Types are: attack, content, event,
spamfilter, traffic, virus and webfilter. You can specify up to
five log types.
No default.
f i el d ui <st r i ng>
[ st r i ng1 st r i ng2 . . . ]
Filter by user interface field. You can specify up to five
strings to match in the user interface field.
No default.
f i el d user <user _i d>
[ user _i d2 user _i d3 . . . ]
Filter by user ID. You can specify up to five user IDs. No default.
l i nes_per _vi ew <count > Set lines per view. Range: 5 to 1000 10
l i st Display current filter settings. No default.
number Number of log entries displayed per page. 10
r eset Execute this command to reset all filter settings. No default.
r ol l ed_number <number > Select logs from rolled log file. 0 selects current log file. 0
st ar t _l i ne <l i ne_number > Select logs starting at specified line number. 1
FortiOS v2.90 New
Table 18: execute log filter command keywords and variables (Continued)
536 01-30005-0015-20070803
log fortianalzyer test-connectivity execute
Use this command to test the connection to the FortiAnalyzer unit. This command is available only
when FortiAnalyzer is configured.
Command syntax
execut e l og f or t i anal zyer t est - connect i vi t y
The spelling of FortiAnalyzer in this command will be corrected in a later release.
Example
When FortiAnalyzer is connected, the output looks like this:
For t i Anal yzer Host Name: For t i Anal yzer - 800
For t i Gat e Devi ce I D: FG300A2904500044
Regi st r at i on: r egi st er ed
Connect i on: al l ow
Di sk Space ( Used/ Al l ocat ed) : 0/ 1000 MB
Tot al Fr ee Space: 456690 MB
Log: Tx & Rx
Repor t : Tx & Rx
Cont ent Ar chi ve: Tx & Rx
Quar ant i ne: Tx & Rx
When FortiAnalyzer is not connected, the output is: Connect Er r or
Command history
Related topics
FortiOS v3.0 New
execute log list
01-30005-0015-20070803 537
log list
You can view the list of current and rolled log files on the console. The list shows the file name, size
and timestamp.
Command syntax
execut e l og l i st <cat egor y>
<category>must be one of: event, ids, spam, traffic, virus or webfilter.
Example
The output looks like this:
el og 8704 Fr i J an 28 14: 24: 35 2005
el og. 1 1536 Thu J an 27 18: 02: 51 2005
el og. 2 35840 Wed J an 26 22: 22: 47 2005
At the end of the list the total number of files in the category is displayed. For example:
501 event l og f i l e( s) f ound.
Command history
Related topics
FortiOS v3.0 New
538 01-30005-0015-20070803
log roll execute
log roll
Use this command to roll all log files.
Command syntax
Command history
Related topics
FortiOS v3.0 New
01-30005-0015-20070803 539
log stats display
You can view logging statistics on the console.
Command syntax
Example
The output of the execut e l og st at s di spl ay command looks like this:
Tr af f i c Summar y si nce 06/ 15/ 2005 08: 00: 00
HTTP - -
08: 00- 10: 00 | 10: 00- 12: 00 | 12: 00- 14: 00 | 14: 00- 16: 00 | 16: 00: 19: 00 |
19: 00- 08: 00
146620474 | 74555285 | 13446810 | 10360145 | 1587037 |
2205124 |
EMAI L- -
08: 00- 10: 00 | 10: 00- 12: 00 | 12: 00- 14: 00 | 14: 00- 16: 00 | 16: 00: 19: 00 |
19: 00- 08: 00
2444476 | 12507319 | 1002484 | 903601 | 703117 |
707797 |
FTP- -
08: 00- 10: 00 | 10: 00- 12: 00 | 12: 00- 14: 00 | 14: 00- 16: 00 | 16: 00: 19: 00 |
19: 00- 08: 00
24227635 | 0 | 50804213 | 482131381 | 0 |
0 |
VPN- -
08: 00- 10: 00 | 10: 00- 12: 00 | 12: 00- 14: 00 | 14: 00- 16: 00 | 16: 00: 19: 00 |
19: 00- 08: 00
0 | 0 | 0 | 0 | 0 |
0 |
OTHER- -
08: 00- 10: 00 | 10: 00- 12: 00 | 12: 00- 14: 00 | 14: 00- 16: 00 | 16: 00: 19: 00 |
19: 00- 08: 00
82142508 | 47140911 | 17152276 | 139051390 | 840405 |
419756501 |
Ant i - Vi r us Summar y
Day:
Sun | Mon | Tues | Wed | Thu | Fr i | Sat
0| 0| 0| 0| 0| 0| 0|
Ni ght :
0| 0| 0| 0| 0| 0| 0|
I nt r usi on Summar y
Day:
0| 0| 0| 0| 0| 0| 0|
Ni ght :
0| 0| 0| 0| 0| 0| 0|
540 01-30005-0015-20070803
log stats display execute
SpamSummar y
Day:
0| 1| 0| 0| 0| 1| 0|
Ni ght :
0| 0| 0| 0| 0| 0| 0|
Command history
Related topics
FortiOS v3.0 New
01-30005-0015-20070803 541
log stats reset
Reset logging statistics.
Command syntax
Command history
Related topics
FortiOS v3.0 New
542 01-30005-0015-20070803
modem dial execute
modem dial
Dial the modem.
The dial command dials the accounts configured in conf i g syst emmodemuntil it makes a
connection or it has made the maximum configured number of redial attempts.
This command applies only to models 50A, 60, 60M and 60-WiFi and is effective only if the modem is
in Standalone mode.
Command syntax
execut e modemdi al
Command history
Related topics
system modem
FortiOS v2.80 New
01-30005-0015-20070803 543
modem hangup
Hang up the modem.
This command applies only to models 50A, 60, 60M and 60-WiFi and is effective only if the modem is
in Standalone mode.
Command syntax
execut e modemhangup
Command history
Related topics
system modem
execute modem dial
FortiOS v2.80 New
544 01-30005-0015-20070803
mrouter clear execute
mrouter clear
Clear multicast routes, RP-sets, IGMP membership records or routing statistics.
Command syntax
Clear IGMP memberships:
execut e mr out er cl ear i gmp- gr oup {{<gr oup- addr ess>} }
execut e mr out er cl ear i gmp- i nt er f ace 
Clear multicast routes:
execut e mr out er cl ear <r out e- t ype> {<gr oup- addr ess> {<sour ce- addr ess>}}
Clear PIM-SM RP-sets learned from the bootstrap router (BSR):
execut e mr out er cl ear spar se- mode- bsr
Clear statistics:
execut e mr out er cl ear st at i st i cs {<gr oup- addr ess> {<sour ce- addr ess>}}
Command history
Related topics
router multicast
get router info bgp
Table 19: execute mrouter clear command keywords and variables
 Enter the name of the interface on which you want to clear IGMP memberships.
<gr oup- addr ess> Optionally enter a group address to limit the command to a particular group.
<r out e- t ype> Enter one of:
dense- r out es - clear only PIM dense routes
r out es - clear all types of multicast routes
spar se- r out es - clear only sparse routes
<sour ce- addr ess> Optionally, enter a source address to limit the command to a particular source
address. You must also specify gr oup- addr ess.
FortiOS v3.0 New
execute ping
01-30005-0015-20070803 545
ping
Send an ICMP echo request (ping) to test the network connection between the FortiGate unit and
another network device.
Command syntax
execut e pi ng {<addr ess_i pv4> | <host - name_st r >}
<host-name_str>should be an IP address, or a fully qualified domain name.
Example
This example shows how to ping a host with the IP address 172.20.120.16.
execut e pi ng 172. 20. 120. 16
PI NG 172. 20. 120. 16 ( 172. 20. 120. 16) : 56 dat a byt es
64 byt es f r om172. 20. 120. 16: i cmp_seq=0 t t l =128 t i me=0. 5 ms
- - - 172. 20. 120. 16 pi ng st at i st i cs - - -
5 packet s t r ansmi t t ed, 5 packet s r ecei ved, 0%packet l oss
r ound- t r i p mi n/ avg/ max = 0. 2/ 0. 2/ 0. 5 ms
Command history
Related topics
execute ping6
execute traceroute
546 01-30005-0015-20070803
ping-options execute
ping-options
Set ICMP echo request (ping) options to control the way ping tests the network connection between
the FortiGate unit and another network device.
Command syntax
execut e pi ng- opt i ons dat a- si ze <byt es>
execut e pi ng- opt i ons df - bi t {yes | no}
execut e pi ng- opt i ons pat t er n <2- byt e_hex>
execut e pi ng- opt i ons r epeat - count <r epeat s>
execut e pi ng- opt i ons sour ce {aut o | <sour ce- i nt f _i p>}
execut e pi ng- opt i ons t i meout <seconds>
execut e pi ng- opt i ons t os <ser vi ce_t ype>
execut e pi ng- opt i ons t t l <hops>
execut e pi ng- opt i ons val i dat e- r epl y {yes | no}
execut e pi ng- opt i ons vi ew- set t i ngs
Keyword Description Default
dat a- si ze <byt es> Specify the datagram size in bytes. 56
df - bi t {yes | no} Set df - bi t to yes to prevent the ICMP packet from being
fragmented. Set df - bi t to no to allow the ICMP packet to be
fragmented.
no
pat t er n <2- byt e_hex> Used to fill in the optional data buffer at the end of the ICMP
packet. The size of the buffer is specified using the dat a_si ze
parameter. This allows you to send out packets of different sizes
for testing the effect of packet size on the connection.
No
default.
r epeat - count <r epeat s> Specify how many times to repeat ping. 5
sour ce
{aut o | <sour ce- i nt f _i p>}
Specify the FortiGate interface from which to send the ping. If you
specify aut o, the FortiGate unit selects the source address and
interface based on the route to the <host - name_st r >or
<host _i p>. Specifying the IP address of a FortiGate interface
tests connections to different network segments from the specified
interface.
auto
t i meout <seconds> Specify, in seconds, how long to wait until ping times out. 2
t os <ser vi ce_t ype> Set the ToS (Type of Service) field in the packet header to provide
an indication of the quality of service wanted.
lowdelay =minimize delay
throughput =maximize throughput
reliability =maximize reliability
lowcost =minimize cost
0
t t l <hops> Specify the time to live. Time to live is the number of hops the ping
packet should be allowed to make before being discarded or
returned.
64
val i dat e- r epl y {yes | no} Select yes to validate reply data. no
vi ew- set t i ngs Display the current ping-option settings. No
default
01-30005-0015-20070803 547
Example
Use the following command to increase the number of pings sent.
execut e pi ng- opt i ons r epeat - count 10
Use the following command to send all pings from the FortiGate interface with IP address
192.168.10.23.
execut e pi ng- opt i ons sour ce 192. 168. 10. 23
Command history
Related topics
execute ping
execute ping6
execute traceroute
system tos-based-priority
548 01-30005-0015-20070803
ping6 execute
ping6
Send an ICMP echo request (ping) to test the network connection between the FortiGate unit and an
IPv6 capable network device.
Command syntax
execut e pi ng6 {<addr ess_i pv6> | <host - name_st r >}
Example
This example shows how to ping a host with the IPv6 address
12AB: 0: 0: CD30: 123: 4567: 89AB: CDEF.
execut e pi ng6 12AB: 0: 0: CD30: 123: 4567: 89AB: CDEF
Command history
Related topics
execute ping
router static6
FortiOS v2.80 New.
execute reboot
01-30005-0015-20070803 549
reboot
Restart the FortiGate unit.
Command syntax
execut e r eboot <comment comment _st r i ng>
<comment comment_string>allows you to optionally add a message that will appear in the hard disk
log indicating the reason for the reboot. If the message is more than one word it must be enclosed in
quotes.
Example
This example shows the reboot command with a message included.
execut e r eboot comment December mont hl y mai nt enance
Command history
Related topics
execute backup
execute factoryreset
FortiOS v3.0 MR4 Added comment keyword.
550 01-30005-0015-20070803
restore execute
restore
Use this command to
restore the configuration from a file
change the FortiGate firmware
change the FortiGate backup firmware
restore an IPS custom signature file
When virtual domain configuration is enabled (in syst emgl obal , vdom- admi n is enabled), the
content of the backup file depends on the administrator account that created it.
A backup of the system configuration from the super admin account contains the global settings
and the settings for all of the VDOMs. Only the super admin account can restore the configuration
from this file.
A backup file from a regular administrator account contains the global settings and the settings for
the VDOM to which the administrator belongs. Only a regular administrator account can restore the
configuration from this file.
Command syntax
execut e r est or e conf i g management - st at i on <t ype> <r evi si on>
execut e r est or e conf i g t f t p <f i l ename> <t f t p_i pv4> [ <passwor d>]
execut e r est or e conf i g usb <f i l ename> [ <passwor d>]
execut e r est or e av t f t p <avf i l e> <t f t p_i p4>
execut e r est or e f or t i cl i ent <f c_f i l ename> <t f t p_i pv4>
execut e r est or e i mage f t p <f i l ename> <f t p_i pv4>
execut e r est or e i mage t f t p <f i l ename> <t f t p_i pv4>
execut e r est or e i mage usb <f i l ename>
execut e r est or e i ps t f t p <t f t p_i p4>
execut e r est or e i psuser def si g <f i l ename> <t f t p_i pv4>
execut e r est or e secondar y- i mage t f t p <f i l ename> <t f t p_i pv4>
execut e r est or e secondar y- i mage usb <f i l ename>
conf i g management - st at i on
<t ype> <r evi si on>
Restore the system configuration from the Central Management
server. The new configuration replaces the existing configuration,
including administrator accounts and passwords.
t ype can be normal or template. A template is a configuration
that can be applied to multiple FortiGate units.
r evi si on is the number of the saved configuration to restore.
If the backup file was created with a password, you must specify
that password.
conf i g t f t p <f i l ename>
<t f t p_i pv4> [ <passwor d>]
Restore the system configuration from a file on a TFTP server.
The new configuration replaces the existing configuration,
including administrator accounts and passwords.
that password.
execute restore
01-30005-0015-20070803 551
Example
This example shows how to upload a configuration file from a TFTP server to the FortiGate unit and
restart the FortiGate unit with this configuration. The name of the configuration file on the TFTP server
is backupconf i g. The IP address of the TFTP server is 192.168.1.23.
execut e r est or e conf i g t f t p backupconf i g 192. 168. 1. 23
Command history
Related topics
execute backup
ips custom
conf i g usb <f i l ename>
[ <passwor d>]
Restore the system configuration from a file on a USB disk. The
new configuration replaces the existing configuration, including
administrator accounts and passwords.
that password.
av t f t p <avf i l e> <t f t p_i p4> Upload the antivirus database file from a TFTP server to the
FortiGate unit.
f or t i cl i ent <f c_f i l ename>
<t f t p_i pv4>
Upload the FortiClient image from a TFTP server to the FortiGate
unit. The filename must have the format:
FortiClientSetup_versionmajor.versionminor.build.exe.
For example, FortiClientSetup.3.0.377.exe.
i mage f t p <f i l ename>
<f t p_i pv4>
Upload a firmware image from an FTP server to the FortiGate
unit. The FortiGate unit reboots, loading the new firmware.
This command is not available in multiple VDOM mode.
i mage t f t p <f i l ename>
<t f t p_i pv4>
Upload a firmware image from a TFTP server to the FortiGate
unit. The FortiGate unit reboots, loading the new firmware.
i mage usb <f i l ename> Upload a firmware image from a USB disk to the FortiGate unit.
The FortiGate unit reboots, loading the new firmware.
i ps t f t p <t f t p_i p4> Upload the IPS database file from a TFTP server to the FortiGate
unit.
i psuser def si g <f i l ename>
<t f t p_i pv4>
Restore an IPS custom signature file. The file will overwrite the
existing IPS custom signature file.
secondar y- i mage t f t p <f i l ename>
<t f t p_i pv4>
Upload a firmware image from a TFTP server as the backup
firmware of the FortiGate unit. This is available only on models
numbered 100 and higher.
secondar y- i mage usb <f i l ename> Upload a firmware image from a USB disk as the backup
firmware of the FortiGate unit. The unit restarts when the upload
is complete. This is available only on models numbered 100 and
higher.
FortiOS v3.0 Added USB restore options and secondary-image restoration.
Removed allconfig option.
FortiOS v3.0 MR2 Added FTP restore option.
FortiOS v3.0 MR4 Added av, f or t i cl i ent , i ps keywords.
FortiOS v3.0 MR5 Added config management-station
552 01-30005-0015-20070803
router clear bgp execute
router clear bgp
Use this command to clear BGP peer connections.
Command syntax
execut e r out er cl ear bgp al l [ sof t ] [ i n | out ]
execut e r out er cl ear bgp as <as_number > [ sof t ] [ i n | out ]
execut e r out er cl ear bgp dampeni ng {i p_addr ess | i p/ net mask}
execut e r out er cl ear bgp ext er nal {i n pr ef i x- f i l t er } [ sof t ] [ i n | out ]
execut e r out er cl ear bgp f l ap- st at i st i cs {i p_addr ess | i p/ net mask}
execut e r out er cl ear bgp i p [ sof t ] [ i n | out ]
Command history
Related topics
router bgp
al l Clear all BGP peer connections.
as <as_number > Clear BGP peer connections by AS number.
dampeni ng {i p_addr ess | i p/ net mask} Clear route flap dampening information for peer or network.
ext er nal {i n pr ef i x- f i l t er } Clear all external peers.
i p Clear BGP peer connections by IP address.
peer - gr oup Clear all members of a BGP peer-group.
[ i n | out ] Optionally limit clear operation to inbound only or outbound
only.
f l ap- st at i st i cs {i p_addr ess |
i p/ net mask}
Clear flap statistics for peer or network.
sof t Do a soft reset that changes the configuration but does not
disturb existing sessions.
FortiOS v3.0 MR1 Added flap-statistics keyword.
execute router clear bfd
01-30005-0015-20070803 553
router clear bfd
Use this command to clear bi-directional forwarding session.
Command syntax
execut e r out er cl ear bf d sessi on <sr c_i p> <dst _i p> 
Command history
Related topics
router bgp
<sr c_i p> Select the source IP address of the session.
<dst _i p> Select the destination IP address of the session.
 Select the interface for the session.
554 01-30005-0015-20070803
router clear ospf process execute
Use this command to clear and restart the OSPF router.
Command syntax
execut e r out er cl ear ospf pr ocess
Command history
Related topics
router ospf
01-30005-0015-20070803 555
router restart
Use this command to restart the routing software.
Command syntax
execut e r out er r est ar t
Command history
Related topics
router
556 01-30005-0015-20070803
set-next-reboot execute
set-next-reboot
Use this command to start the FortiGate unit with primary or secondary firmware after the next reboot.
This command is useful only on models numbered 100 and higher which are able to store two firmware
images. By default, the FortiGate unit loads the firmware from the primary partition.
VDOM administrators do not have permission to run this command. It must be executed by a super
administrator.
Command syntax
execut e set - next - r eboot {pr i mar y | secondar y}
Command history
Related topics
execute reboot
execute shutdown
FortiOS v3.0 New.
FortiOS v3.0 MR3 VDOM admins cant run this command.
execute shutdown
01-30005-0015-20070803 557
shutdown
Shut down the FortiGate unit now. You will be prompted to confirm this command.
Command syntax
execut e shut down <comment > <comment _st r i ng>
<comment>allows you to optionally add a message that will appear in the hard disk log indicating the
reason for the shutdown. If the message is more than one word it must be enclosed in quotes.
Example
This example shows the reboot command with a message included.
execut e shut down comment emer gency f aci l i t y shut down
Command history
Related topics
execute factoryreset
execute reboot
FortiOS v3.0 MR4 Added comment .
558 01-30005-0015-20070803
ssh execute
ssh
Use this command to establish an ssh session with another system.
Command syntax
execut e ssh <dest i nat i on>
<dest i nat i on>- the destination in the form user@ip or user@host.
Example
execut e ssh admi n@172. 20. 120. 122
To end an ssh session, type exi t :
FGT- 6028030112 # exi t
Connect i on t o 172. 20. 120. 122 cl osed.
FGT- 8002805000 #
Command history
Related topics
execute ping
execute traceroute
system interface
execute telnet
01-30005-0015-20070803 559
telnet
Use telnet client. You can use this tool to test network connectivity.
Command syntax
execut e t el net <t el net _i pv4>
<telnet_ipv4>is the address to connect with.
Type exi t to close the telnet session.
Command history
Related topics
execute ping
execute traceroute
system interface
FortiOS v3.0 New.
560 01-30005-0015-20070803
time execute
time
Get or set the system time.
Command syntax
execut e t i me [ <t i me_st r >]
t i me_st r has the form hh: mm: ss, where
hh is the hour and can be 00 to 23
mmis the minutes and can be 00 to 59
ss is the seconds and can be 00 to 59
If you do not specify a time, the command returns the current system time.
You are allowed to shorten numbers to only one digit when setting the time. For example both 01:01:01
and 1:1:1 are allowed.
Example
This example sets the system time to 15:31:03:
execut e t i me 15: 31: 03
Command history
Related topics
execute date
execute traceroute
01-30005-0015-20070803 561
traceroute
Test the connection between the FortiGate unit and another network device, and display information
about the network hops between the device and the FortiGate unit.
Command syntax
execut e t r acer out e { | <host - name>}
Example
This example shows how to test the connection with http://docs.forticare.com. In this example the
traceroute command times out after the first hop indicating a possible problem.
#execut e t r aceout e docs. f or t i car e. com
t r acer out e t o docs. f or t i car e. com( 65. 39. 139. 196) , 30 hops max, 38 byt e
packet s
1 172. 20. 120. 2 ( 172. 20. 120. 2) 0. 324 ms 0. 427 ms 0. 360 ms
2 * * *
If your FortiGate unit is not connected to a working DNS server, you will not be able to connect to
remote host-named locations with traceroute.
Command history
Related topics
execute ping
562 01-30005-0015-20070803
update-av execute
update-av
Use this command to manually initiate the virus definitions and engines update. To update both virus
and attack definitions use the execut e updat e- now command.
Command syntax
Command history
Related topics
execute update-now
execute update-ips
01-30005-0015-20070803 563
update-ips
Use this command to manually initiate the Intrusion Prevention System (IPS) attack definitions and
engine update. To update both virus and attack definitions use the execut e updat e- now command.
Command syntax
Command history
Related topics
execute update-now
system autoupdate ips
FortiOS v3.0 MR4 Command name changed from execute updat e- i ds to execute updat e- i ps.
564 01-30005-0015-20070803
update-now execute
update-now
Use this command to manually initiate both virus and attack definitions and engine updates. To initiate
only virus or attack definitions, use the execut e updat e- av or execut e updat e- i ds command
respectively.
Command syntax
Command history
Related topics
execute update-av
execute update-ips
execute upd-vd-license
01-30005-0015-20070803 565
upd-vd-license
Use this command to enter a Virtual Domain (VDOM) license key.
If your FortiGate model is 3000 or higher, you can purchase a license key from Fortinet to increase the
maximum number of VDOMs to 25, 50, 100 or 250. By default, FortiGate units support a maximum of
10 VDOMs.
This command is only available on FortiGate models 3000 and higher.
Command syntax
execut e upd- vd- l i cense <l i cense_key>
Command history
<l i cense_key> The license key is a 32-character string supplied by
Fortinet. Fortinet requires your unit serial number to
generate the license key.
FortiOS v3.0 New.
566 01-30005-0015-20070803
usb-disk execute
usb-disk
Use these commands to manage your USB disks.
Command syntax
execut e usb- di sk del et e <f i l ename>
execut e usb- di sk f or mat
execut e usb- di sk l i st
execut e usb- di sk r ename <ol d_name> <new_name>
Command history
Related topics
execute backup
execute restore
del et e <f i l ename> Delete the named file from the USB disk.
f or mat Format the USB disk.
l i st List the files on the USB disk.
r ename <ol d_name> <new_name> Rename a file on the USB disk.
FortiOS v3.0 New.
01-30005-0015-20070803 567
Use this command to generate a local certificate, to export a local certificate from the FortiGate unit to
a TFTP server, and to import a local certificate from a TFTP server to the FortiGate unit.
Digital certificates are used to ensure that both participants in an IPSec communications session are
trustworthy, prior to an encrypted VPN tunnel being set up between the participants. The local
certificate is the certificate that the FortiGate unit uses to authenticate itself to other devices.
When you generate a certificate request, you create a private and public key pair for the local
FortiGate unit. The public key accompanies the certificate request. The private key remains
confidential.
When you receive the signed certificate from the CA, use the vpn cer t i f i cat e l ocal command
to install it on the FortiGate unit.
Command syntax - generate
execut e vpn cer t i f i cat e l ocal gener at e <cer t i f i cat e- name_st r >
<key- l engt h> {<host _i p> | <domai n- name_st r > | emai l - addr _st r >}
[ <opt i onal _i nf or mat i on>]
Note: VPN peers must use digital certificates that adhere to the X.509 standard.
Note: Digital certificates are not required for configuring FortiGate VPNs. Digital certificates are an advanced
feature provided for the convenience of system administrators. This manual assumes the user has prior
knowledge of how to configure digital certificates for their implementation.
<cer t i f i cat e- name_st r > Enter a name for the certificate. The name can contain numbers (0-9),
uppercase and lowercase letters (A-Z, a-z), and the special characters -
and _. Other special characters and spaces are not allowed.
<host _i p>
{<host _i p> |
<domai n- name_st r > |
emai l - addr _st r >}
Enter the host IP address (host _i p), the domain name
(domai n- name_st r ), or an email address (emai l - addr _st r ) to
identify the FortiGate unit being certified. Preferably use an IP address
or domain name. If this is impossible (such as with a dialup client), use
an e-mail address.
For host _i p, enter the IP address of the FortiGate unit.
For domai n- name_st r , enter the fully qualified domain name of the
FortiGate unit.
For emai l - addr _st r , enter an email address that identifies the
FortiGate unit.
If you specify a host IP or domain name, use the IP address or domain
name associated with the interface on which IKE negotiations will take
place (usually the external interface of the local FortiGate unit). If the IP
address in the certificate does not match the IP address of this interface
(or if the domain name in the certificate does not match a DNS query of
the FortiGate units IP), then some implementations of IKE may reject
the connection. Enforcement of this rule varies for different IPSec
products.
568 01-30005-0015-20070803
vpn certificate local execute
Optional information variables
Example - generate
Use the following command to generate a local certificate request with the name br anch_cer t , the
domain name www. exampl e. comand a key size of 1536.
execut e vpn cer t i f i cat e l ocal gener at e br anch_cer t 1536 www. exampl e. com
Command syntax - import/export
execut e vpn cer t i f i cat e l ocal i mpor t t f t p <f i l e- name_st r > <t f t p_i p>
execut e vpn cer t i f i cat e l ocal expor t t f t p <cer t i f i cat e- name_st r >
<f i l e- name_st r > <t f t p_i p>
<key- l engt h> Enter 1024, 1536 or 2048 for the size in bits of the encryption key.
[ <opt i onal _i nf or mat i on>] Enter opt i onal _i nf or mat i on as required to further identify the
certificate. See Optional information variables on page 568 for the list
of optional information variables. You must enter the optional variables
in order that they are listed in the table. To enter any optional variable
you must enter all of the variables that come before it in the list. For
example, to enter the or gani zat i on_name_st r , you must first enter
the count r y_code_st r , st at e_name_st r , and ci t y_name_st r .
While entering optional variables, you can type ? for help on the next
required variable.
<count r y_code_st r > Enter the two-character country code. Enter execut e vpn
cer t i f i cat es l ocal gener at e <name_st r > count r y
followed by a ? for a list of country codes. The country code is case
sensitive. Enter nul l if you do not want to specify a country.
<st at e_name_st r > Enter the name of the state or province where the FortiGate unit is
located.
<ci t y_name_st r > Enter the name of the city, or town, where the person or organization
certifying the FortiGate unit resides.
<or gani zat i on- name_st r > Enter the name of the organization that is requesting the certificate for
the FortiGate unit.
<or gani zat i on- uni t _name_st r > Enter a name that identifies the department or unit within the
organization that is requesting the certificate for the FortiGate unit.
<emai l _addr ess_st r > Enter a contact e-mail address for the FortiGate unit.
<ca_ser ver _ur l > Enter the URL of the CA (SCEP) certificate server that allows auto-
signing of the request.
<chal l enge_passwor d> Enter the challenge password for the SCEP certificate server.
Keyword/variable Description
i mpor t Import the local certificate from a TFTP server to the FortiGate unit.
expor t Export or copy the local certificate from the FortiGate unit to a file on the
TFTP server. Type ? for a list of certificates.
<cer t i f i cat e- name_st r > Enter the name of the local certificate.
<t f t p_i p> Enter the TFTP server address.
<f i l e- name_st r > Enter the file name on the TFTP server.
l i st List local certificates.
01-30005-0015-20070803 569
Examples - import/export
Use the following command to export the local certificate request generated in the above example
from the FortiGate unit to a TFTP server. The example uses the file name t est cer t for the
downloaded file and the TFTP server address 192.168.21.54.
exec vpn cer t i f i cat e l ocal expor t br anch_cer t t est cer t 192. 168. 21. 54
Use the following command to import the signed local certificate named br anch_cer t to the
FortiGate unit from a TFTP server with the address 192.168.21.54.
exec vpn cer t i f i cat e l ocal i mpor t br anch_cer t 192. 168. 21. 54
Command history
Related topics
execute vpn sslvpn del-web
vpn certificate ca
vpn certificate crl
FortiOS v2.80 MR2 The del et e keyword was added.
The downl oad keyword was changed to expor t .
FortiOS v2.80 MR3 Keywords were removed from the execut e vpn cer t i f i cat e l ocal
keyword and replaced with variables.
FortiOS v3.0 MR1 Removed all keywords but generate.
FortiOS v3.0 MR3 Added keywords i mpor t , expor t .
FortiOS v3.0 MR4 Added optional variables for certificate-based user authentication.
570 01-30005-0015-20070803
vpn certificate ca execute
vpn certificate ca
Use this command to import a CA certificate from a TFTP or SCEP server to the FortiGate unit, or to
export a CA certificate from the FortiGate unit to a TFTP server.
Before using this command you must obtain a CA certificate issued by a CA.
trustworthy, prior to an encrypted VPN tunnel being set up between the participants. The CA certificate
is the certificate that the FortiGate unit uses to authenticate itself to other devices.
Command syntax
execut e vpn cer t i f i cat e ca expor t t f t p <cer t i f i cat e- name_st r >
execut e vpn cer t i f i cat e ca i mpor t aut o <ca_ser ver _ur l > <ca_i dent i f i er _st r >
execut e vpn cer t i f i cat e ca i mpor t t f t p <f i l e- name_st r > <t f t p_i p>
Examples
Use the following command to import the CA certificate named t r ust _ca to the FortiGate unit from a
TFTP server with the address 192. 168. 21. 54.
execut e vpn cer t i f i cat e ca i mpor t t r ust _ca 192. 168. 21. 54
i mpor t Import the CA certificate from a TFTP server to the FortiGate unit.
expor t Export or copy the CA certificate from the FortiGate unit to a file on the
TFTP server. Type ? for a list of certificates.
<cer t i f i cat e- name_st r > Enter the name of the CA certificate.
aut o Retrieve a CA certificate from a SCEP server.
t f t p Import the CA certificate to the FortiGate unit from a file on a TFTP
server (local administrator PC).
<ca_ser ver _ur l > Enter the URL of the CA certificate server.
<ca_i dent i f i er _st r > CA identifier on CA certificate server (optional).
01-30005-0015-20070803 571
Command history
Related topics
vpn certificate ca
vpn certificate crl
FortiOS v2.80 MR2 The del et e keyword was added.
The downl oad keyword was changed to expor t .
FortiOS v2.80 MR3 Keywords were removed from the execut e vpn cer t i f i cat e l ocal
keyword and replaced with variables.
FortiOS v3.0 MR1 Removed all keywords but generate.
FortiOS v3.0 MR3 Added keywords i mpor t , expor t .
FortiOS v3.0 MR4 Added keywords aut o, t f t p and variables <ca_ser ver _ur l >,
<ca_i dent i f i er _st r > as result of the addition of the PKI certificate
authentication feature.
572 01-30005-0015-20070803
vpn certificate crl execute
vpn certificate crl
Use this command to get a CRL via LDAP, HTTP, or SCEP protocol, depending on the auto-update
configuration.
In order to use the command execute vpn certificate crl, the authentication servers must already be
configured.
trustworthy, prior to an encrypted VPN tunnel being set up between the participants. The CA certificate
is the certificate that the FortiGate unit uses to authenticate itself to other devices.
Command syntax
execut e vpn cer t i f i cat e cr l i mpor t aut o <cr l - name>
Command history
Related topics
vpn certificate ca
vpn certificate crl
i mpor t Import the CRL from the configured LDAP, HTTP, or SCEP
authentication server to the FortiGate unit.
<cr l - name> Enter the name of the CRL.
aut o Trigger an auto-update of the CRL from the configured LDAP, HTTP, or
SCEP authentication server.
01-30005-0015-20070803 573
Use this command to import a remote certificate from a TFTP server, or export a remote certificate
from the FortiGate unit to a TFTP server. The remote certificates are public certificates without a
Command syntax
execut e vpn cer t i f i cat e r emot e i mpor t t f t p <f i l e- name_st r > <t f t p_i p>
execut e vpn cer t i f i cat e r emot e expor t t f t p <cer t i f i cat e- name_st r >
Command history
Related topics
vpn certificate ca
vpn certificate crl
i mpor t Import the remote certificate from the TFTP server to the FortiGate unit.
expor t Export or copy the remote certificate from the FortiGate unit to a file on
the TFTP server. Type ? for a list of certificates.
<cer t i f i cat e- name_st r > Enter the name of the public certificate.
t f t p Import/export the remote certificate via a TFTP server.
574 01-30005-0015-20070803
vpn sslvpn del-tunnel execute
vpn sslvpn del-tunnel
Use this command to delete an SSL tunnel connection.
Command syntax
execut e vpn ssl vpn del - t unnel <t unnel _i ndex>
<t unnel _i ndex>identifies which tunnel to delete if there is more than one active tunnel.
Command history
Related topics
vpn ssl settings
FortiOS v3.0 New.
FortiOS v3.0 MR1 Added <t unnel _i ndex>.
01-30005-0015-20070803 575
vpn sslvpn del-web
Use this command to delete an active SSL VPN web connection.
Command syntax
execut e vpn ssl vpn del - web <web_i ndex>
<web_i ndex>identifies which web connection to delete if there is more than one active connection.
Command history
Related topics
vpn ssl settings
576 01-30005-0015-20070803
vpn sslvpn del-web execute
get
01-30005-0015-20070803 577
get
The get commands retrieve information about the operation and performance of your FortiGate unit.
chassis status
gui console status
gui topology status
hardware status
ips anomaly status
ips custom status
ips group status
ipsec tunnel list
router info bgp
router info bfd
router info multicast
router info ospf
router info protocols
router info rip
router info routing-table
system admin list
system admin status
system arp
system central-mgmt status
system checksum
system cmdb status
system dashboard
system fortianalyzer-connectivity
system fortiguard-log-service status
system fortiguard-service status
system ha status
system info admin ssh
system info admin status
system performance status
system session list
system status
578 01-30005-0015-20070803
chassis status get
chassis status
For FortiGate-5000 series modules installed in a FortiGate-5050 or FortiGate-5140 chassis, you can
use the get chassi s st at us command to view real-time operating status information about the
hardware components installed in the chassis.
Information displayed depends on the FortiGate-5000 series chassis and not on the FortiGate-5000
series module that you are connecting to. You can use this command to view information about all of
the hardware components installed in the chassis (including FortiGate, FortiController and other
Fortinet modules installed in the chassis as well as the chassis shelf managers).
The get chassi s st at us command displays information received from the chassis shelf manager.
The command only displays information if at least one shelf manager is functioning in the chassis and
only if the FortiGate-5000 module that you have connected to can communicate with a shelf manager.
Command syntax
get chassi s st at us
The command display includes the following fields. For more information see the example that follows.
Chassi s t ype The FortiGate chassis type: 5050 or 5140.
Act i ve shel f manager The number of the shelf manager slot containing the active shelf manager: 1 or 2.
Cur r ent bl ade The slot number that the FortiGate module that you are connected to is installed in.
Shel f manager 2 Indicates whether a shelf manager is operating in shelf manager slot 2. exi st if a
shelf manager is installed and operating in slot 2. empt y if shelf manager slot 2 is
empty or if the shelf manager in slot 2 is not operating.
Shel f manager 1 Indicates whether a shelf manager is operating in shelf manager slot 1. exi st if a
shelf manager is installed and operating in slot 1. empt y if shelf manager slot 1 is
empty or if the shelf manager in slot 1 is not operating.
Bl ade
<sl ot _i nt eger >:
<modul e_name>
For each slot in the chassis, the command displays the slot number and the name
of the FortiGate-5000 module installed in the slot.
<sl ot _i nt eger >indicated the slot number in the chassis. Slots 1 to 5 are listed
for the FortiGate-5050 chassis and slots 1 to 14 are listed for the FortiGate-5140
chassis.
<modul e_name>indicates the name of the module installed in the chassis slot.
<modul e_name>can be 5001 for the FortiGate-5001SX and 5001FA2, 5002 for
the FortiGate-5002FB2, 5003 for the FortiSwitch-5003, and 5005 for the
FortiGate-5005FA2, and empt y if the slot is empty.
The command displays voltage and temperature information for each module in the
chassis. The voltage and temperature information that is displayed is different for
each module and depends on the voltage and temperature sensors on the module.
Vol t age, V For each slot in the chassis the command displays voltages detected by the voltage
sensors in the module installed in the slot. The information displayed for each
sensor includes the design voltage (for example 3.3V) followed by the actual
voltage (for example, 3.488V). The design voltage depends on the sensor.
The voltages that are displayed are different for each module type.
Temp For each slot in the chassis the command displays temperatures in degrees
Celsius detected by the temperature sensors in the module. The information
displayed for each sensor includes the name of the temperature sensor and the
temperature reading.
The temperatures that are displayed are different for each module type.
get chassis status
01-30005-0015-20070803 579
Example
The following example shows the get chassi s st at us output for a FortiGate-5050 chassis that
contains the following modules:
Slot 5: FortiGate-5005FA2
Slot 4: FortiGate-5001FA2
Slot 3: FortiGate-5001SX
Slot 2: FortiSwitch-5003
Slot 1: empty
Shelf Manager: one shelf manager in shelf manager slot 1
To enter the command, the administrator has connected to the CLI of the FortiGate-5001SX module
installed in slot 3.
Chassi s t ype: 5050
Act i ve shel f manager : 1
Cur r ent bl ade: 3
Shel f manager 2: empt y
Shel f manager 1: exi st
Bl ade 4: 5005
CPU1 Vol t age: 1. 1956V
CPU2 Vol t age: 1. 1858V
+5. 0V: 4. 8755V
+3. 3V: 3. 321V
+2. 5V CPU 1: 2. 5742V
+2. 5V CPU 2: 2. 5376V
+1. 2V 1: 1. 2054V
+1. 2V 2: 1. 2348V
I ncomi ng Ai r - Fl o: 35C
CPU Boar d Temp: 42C
CPU1 Temp: 59C
CPU2 Temp: 60C
Bl ade 4: 5001
5V: 5. 0739V
3. 3V: 3. 4992V
2. 5V: 2. 497V
1. 8V: 1. 8124V
1. 5V: 1. 5345V
TEMP1: 41C
TEMP2: 35C
Bl ade 3: 5001
5V: 5. 0764V
3. 3V: 3. 4884V
2. 5V: 2. 534V
1. 8V: 1. 8236V
1. 5V: 1. 5326V
TEMP1: 41C
TEMP2: 34C
Bl ade 2: 5003
+1. 5V: 1. 521V
+2V: 1. 989V
580 01-30005-0015-20070803
chassis status get
+2. 5V: 2. 4921V
+3. 3V: 3. 3024V
+3. 3VSB: 3. 3712V
+5VSB: 5. 07V
+12V: 12. 096V
Baseboar d Temp: 38C
BRD Top Temp: 36C
BRD Bot t omTemp: 36C
BRD Cent er Temp: 41C
Bl ade 1: empt y
Command history
get gui console status
01-30005-0015-20070803 581
gui console status
Display information about the CLI console.
Command syntax
get gui consol e st at us
Example
Pr ef er ences:
User : admi n
Col our scheme ( RGB) : t ext =FFFFFF, backgr ound=000000
Font : st yl e=monospace, si ze=10pt
Hi st or y buf f er =50 l i nes, ext er nal i nput =di sabl ed
Related topics
get gui topology status
Command history
582 01-30005-0015-20070803
gui topology status get
gui topology status
Display information about the topology viewer database.
Command syntax
get gui t opol ogy st at us
Example
Pr ef er ences:
Canvas di mensi ons ( pi xel s) : wi dt h=780, hei ght =800
Col our scheme ( RGB) : canvas=12f f 08, l i nes=bf 0f 00, ext er i or =ddeeee
Backgr ound i mage: t ype=none, pl acement : x=0, y=0
Li ne st yl e: t hi ckness=2
Cust ombackgr ound i mage f i l e: none
Topol ogy el ement dat abase:
__For t i Gat e__: x=260, y=340
Of f i ce: x=22, y=105
I SPnet : x=222, y=129
__Text __: x=77, y=112: " Ot t awa"
__Text __: x=276, y=139: " I nt er net "
Related topics
get gui console status
Command history
get hardware status
01-30005-0015-20070803 583
hardware status
Report information about the FortiGate unit hardware.
Command syntax
get har dwar e st at us
Example
Model name: For t i gat e- 800
ASI C ver si on: CP4
SRAM: 64M
CPU: Mobi l e Genui ne I nt el ( R) pr ocessor 1400MHz
RAM: 1009 MB
Compact Fl ash: 122 MB / dev/ hdc
Har d di sk: 76308 MB / dev/ hda
USB Fl ash: not avai l abl e
Net wor k Car d chi pset : I nt el ( R) PRO/ 1000 Net wor k Connect i on ( r ev. 0x01)
Net wor k Car d chi pset : I nt el ( R) PRO/ 100 M Deskt op Adapt er ( r ev. 0x0010)
Command history
Related topics
system status
584 01-30005-0015-20070803
ips anomaly status get
ips anomaly status
Displays all the IPS anomaly information.
get i ps anomal y st at us
Example
# get i ps anomal y st at us
r ul e- name: " i cmp_dst _sessi on"
r ul e- i d: 16777323
st at us: enabl e ( def aul t : enabl e)
act i on: pass ( def aul t : pass)
sever i t y: cr i t i cal ( def aul t : cr i t i cal )
l og: enabl e
l i mi t - name: def aul t
sr c- i p: 0. 0. 0. 0
dst - i p: 0. 0. 0. 0
ser vi ce: 0
t hr eshol d: 1000
r ul e- name: " i cmp_f l ood"
r ul e- i d: 16777316
st at us: di sabl e ( def aul t : di sabl e)
sever i t y: cr i t i cal ( def aul t : cr i t i cal )
l og: enabl e
l i mi t - name: def aul t
sr c- i p: 0. 0. 0. 0
dst - i p: 0. 0. 0. 0
ser vi ce: 0
t hr eshol d: 250
r ul e- name The name of the traffic anomaly rule.
r ul e- i d The unique number identifying this rule.
st at us The status of the traffic anomaly, either enabled or disabled. The default status is indicated.
act i on The action set for each traffic anomaly. Action can be Pass, Drop, Reset, Reset Client, Reset
Server, Drop Session, Clear Session, or Pass Session. The default action is indicated.
sever i t y The severity level set for each traffic anomaly. Severity level can be Information, Low, Medium,
High, or Critical. Severity level is set for individual anomalies. The default severity is indicated.
get ips anomaly status
01-30005-0015-20070803 585
Command history
l og The logging status for each traffic anomaly.
l i mi t - name The name of the limit.
sr c- i p The ip address and netmask of the source network.
dst - i p The ip address and netmask of the destination network.
ser vi ce Default setting is 0 (for all services).
t hr eshol d For the anomalies that include the t hr eshol d setting, traffic over the specified threshold
triggers the anomaly.
FortiOS v3.0 MR4 Added r ul e- i d, name changed to r ul e- name, and l i mi t name changed t o
l i mi t - name. st at us, act i on, and sever i t y now include default values.
586 01-30005-0015-20070803
ips custom status get
ips custom status
Displays all the IPS custom signature information.
get i ps cust omst at us
Example
# get i ps cust omst at us
name: cust om- t est
si gnat ur e: F- SBI D ( - - pr ot ocol t cp; - - f l ow est abl i shed; - - cont ent " nude
cheer l eader " ; - - no_case)
Command history
Name The custom signature name.
si gnat ur e The detailed signature.
get ips group status
01-30005-0015-20070803 587
ips group status
Displays all the IPS group information.
get i ps gr oup st at us
Example
# get i ps gr oup st at us
gr oupname: cust om
t ype: si gnat ur e
st at us: enabl e
gr oupname: backdoor
t ype: si gnat ur e
st at us: enabl e
r ul e- name: " Agobot . Phat bot . I nf ect i on"
r ul e- i d: 101318788
l og: enabl e
r ev: 2. 134
sever i t y: i nf o ( def aul t : i nf o)
r ul e- name: " Akak. Response"
r ul e- i d: 101318805
l og: enabl e
r ev: 2. 134
sever i t y: i nf o ( def aul t : i nf o)
gr oupname The name of the signature group.
st at us {enabl e | di sabl e} Displays if the IPS groups is enabled or disabled. enabl e
r ul e- name The name of the rule.
r ul e- i d The unique number identifying this rule.
588 01-30005-0015-20070803
ips group status get
Command history
act i on {cl ear _sessi on |
dr op
| dr op_sessi on | pass
| pass_sessi on | r eset
| r eset _cl i ent
| r eset _ser ver }
The default action for the rule.
l og {enabl e | di sabl e} If logging is enabled, the action appears in the status field of the
log message generated by the signature.
enabl e
l og_packet {enabl e |
di sabl e}
Displays if the packet logging is enabled or disabled. di sabl e
r ev <r ev_i nt eger > The revision number of the rule. 0
The severity level for the rule. cr i t i cal
FortiOS v3.0 MR4 Added r ul e- i d, updated output.
get ipsec tunnel list
01-30005-0015-20070803 589
ipsec tunnel list
List the current IPSec VPN tunnels and their status.
Command syntax
get i psec t unnel l i st
Example
NAME REMOTE- GW PROXY- I D- SOURCE PROXY- I D- DESTI NATI ON
STATUS TI MEOUT
VPN1 172. 20. 120. 5: 500 0. 0. 0. 0/ 255. 255. 255. 255 172. 20. 120. 5/ 172. 20. 120. 5
up 1786
Command history
Related topics
vpn ipsec phase1
vpn ipsec manualkey
NAME The name of the configured tunnel.
REMOTE-GW The public IP address and UDP port of the remote host device, or if a
NAT device exists in front of the remote host, the public IP address and
UDP port of the NAT device.
PROXY- ID-SOURCE The IP address range of the hosts, servers, or private networks behind
the FortiGate unit that are available through the VPN tunnel.
PROXY- ID-DESTINATION This field displays IP addresses as a range.
When a FortiClient dialup client establishes a tunnel:
If VIP addresses are not used, the Proxy ID Destination field
displays the public IP address of the remote host Network Interface
Card (NIC).
If VIP addresses were configured (manually or through FortiGate
DHCP relay), the Proxy ID Destination field displays either the VIP
address belonging to the FortiClient dialup client, or the subnet
address from which VIP addresses were assigned.
When a FortiGate dialup client establishes a tunnel, the Proxy ID
Destination field displays the IP address of the remote private network.
STATUS Tunnel status: up or down.
TIMEOUT The number of seconds before the next phase 2 key exchange. The
time is calculated by subtracting the time elapsed since the last key
exchange from the keylife duration setting. When the phase 2 key
expires, a new key is generated without interrupting service.
590 01-30005-0015-20070803
router info bgp get
router info bgp
Use this command to display information about the BGP configuration.
Command syntax
get r out er i nf o bgp <keywor d>
ci dr - onl y Show all BGP routes having non-natural network masks.
communi t y Show all BGP routes having their COMMUNITY attribute
set.
communi t y- i nf o Show general information about the configured BGP
communities, including the routes in each community and
their associated network addresses.
communi t y- l i st Show all routes belonging to configured BGP community
lists.
dampeni ng {dampened- pat hs | f l ap-
st at i st i cs | par amet er s}
Display information about dampening:
Type dampened- pat hs to show all paths that have
been suppressed due to flapping.
Type f l ap- st at i st i cs to show flap statistics related
to BGP routes.
Type par amet er s to show the current dampening
settings.
f i l t er - l i st Show all routes matching configured AS-path lists.
i nconsi st ent - as Show all routes associated with inconsistent autonomous
systems of origin.
memor y Show the BGP memory table.
nei ghbor s [ <addr ess_i pv4> |
<addr ess_i pv4> adver t i sed- r out es |
<addr ess_i pv4> r ecei ved pr ef i x- f i l t er |
<addr ess_i pv4> r ecei ved- r out es |
<addr ess_i pv4> r out es]
Show information about connections to TCP and BGP
neighbors.
net wor k [ <addr ess_i pv4mask>] Show general information about the configured BGP
networks, including their network addresses and
associated prefixes.
net wor k- l onger - pr ef i xes
Show general information about the BGP route that you
specify (for example, 12. 0. 0. 0/ 14) and any specific
routes associated with the prefix.
pat hs Show general information about BGP AS paths, including
their associated network addresses.
pr ef i x- l i st <name> Show all routes matching configured prefix list <name>.
quot e- r egexp <r egexp_st r > Enter the regular expression to compare to the AS_PATH
attribute of BGP routes (for example, ^730$) and enable
the use of output modifiers (for example, i ncl ude,
excl ude, and begi n) to search the results.
r egexp <r egexp_st r > Enter the regular expression to compare to the AS_PATH
attribute of BGP routes (for example, ^730$).
r out e- map Show all routes matching configured route maps.
scan Show information about next-hop route scanning,
including the scan interval setting.
summar y Show information about BGP neighbor status.
get router info bgp
01-30005-0015-20070803 591
Example
For the command get r out er i nf o bgp memor y, the output looks like:
Memor y t ype Al l oc count Al l oc byt es
=================================== ============= ===============
BGP st r uct ur e : 2 1408
BGP VR st r uct ur e : 2 104
BGP gl obal st r uct ur e : 1 56
BGP peer : 2 3440
BGP as l i st mast er : 1 24
Communi t y l i st handl er : 1 32
BGP Damp Reuse Li st Ar r ay : 2 4096
BGP t abl e : 62 248
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Tempor ar y memor y : 4223 96095
Hash : 7 140
Hash i ndex : 7 28672
Hash bucket : 11 132
Thr ead mast er : 1 564
Thr ead : 4 144
Li nk l i st : 32 636
Li nk l i st node : 24 288
Show : 1 396
Show page : 1 4108
Show ser ver : 1 36
Pr ef i x I Pv4 : 10 80
Rout e t abl e : 4 32
Rout e node : 63 2772
Vect or : 2180 26160
Vect or i ndex : 2180 18284
Host conf i g : 1 2
Message of The Day : 1 100
I MI Cl i ent : 1 708
VTY mast er : 1 20
VTY i f : 11 2640
VTY connect ed : 5 140
Message handl er : 2 120
NSM Cl i ent Handl er : 1 12428
NSM Cl i ent : 1 1268
Host : 1 64
Log i nf or mat i on : 2 72
Cont ext : 1 232
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
bgp pr ot o speci f c al l ocat i ons : 9408 B
bgp gener i c al l ocat i ons : 196333 B
bgp t ot al al l ocat i ons : 205741 B
Command history
Related topics
router aspath-list
router bgp
FortiOS v3.0 New.
FortiOS v3.0 MR2 Command moved from router to get chapter.
592 01-30005-0015-20070803
router info bfd get
router info bfd
Use this command to list state information about the neighbors in the bi-directional forwarding table.
Command syntax
get r out er i nf o bf d nei ghbour
Command history
get router info multicast
01-30005-0015-20070803 593
router info multicast
Use this command to display information about a Protocol Independent Multicasting (PIM)
configuration. Multicast routing is supported in the root virtual domain only.
Command syntax
get r out er i nf o mul t i cast <keywor ds>
<keywords> Description
i gmp Show Internet Group Management Protocol (IGMP) membership information
according to one of these qualifiers:
Type gr oups [ { | <gr oup- addr ess>}] to show
IGMP information for the multicast group(s) associated with the specified
interface or multicast group address.
Type gr oups- det ai l [ { | <gr oup-
addr ess>}] to show detailed IGMP information for the multicast group(s)
associated with the specified interface or multicast group address.
Type i nt er f ace [ ] to show IGMP information for
all multicast groups associated with the specified interface.
pi mdense- mode Show information related to dense mode operation according to one of these
qualifiers:
Type i nt er f ace to show information about PIM-enabled interfaces.
Type i nt er f ace- det ai l to show detailed information about PIM-
enabled interfaces.
Type nei ghbor to show the current status of PIM neighbors.
Type nei ghbor - det ai l to show detailed information about PIM
neighbors.
Type next - hop to show information about next-hop PIM routers.
Type t abl e [ <gr oup- addr ess>] [ <sour ce- addr ess>] to show the
multicast routing table entries associated with the specified multicast group
address and/or multicast source address.
pi mspar se- mode Show information related to sparse mode operation according to one of these
qualifiers:
Type bsr - i nf o to show Boot Strap Router (BSR) information.
Type i nt er f ace to show information about PIM-enabled interfaces.
Type i nt er f ace- det ai l to show detailed information about PIM-
enabled interfaces.
Type nei ghbor to show the current status of PIM neighbors.
Type nei ghbor - det ai l to show detailed information about PIM
neighbors.
Type next - hop to show information about next-hop PIM routers.
Type r p- mappi ng to show Rendezvous Point (RP) information.
Type t abl e [ <gr oup- addr ess>] [ <sour ce- addr ess>] to show the
multicast routing table entries associated with the specified multicast group
address and/or multicast source address.
t abl e [ <gr oup- addr ess>]
[ <sour ce- addr ess>]
Show the multicast routing table entries associated with the specified
multicast group address and/or multicast source address.
t abl e- count
[ <gr oup- addr ess>]
[ <sour ce- addr ess>]
Show statistics related to the specified multicast group address and/or
multicast source address.
594 01-30005-0015-20070803
router info multicast get
Examples
This example displays all of the PIM entries in the multicast routing table:
get r out er i nf o mul t i cast t abl e
This example displays IGMP information for the multicast group associated with multicast group
address 239.254.2.0:
get r out er i nf o mul t i cast i gmp gr oups 239. 254. 2. 0
Command history
Related topics
router multicast
execute mrouter clear
FortiOS v3.0 New.
FortiOS v3.0 MR2 Moved from router to get chapter.
01-30005-0015-20070803 595
router info ospf
Use this command to display information about the FortiGate OSPF configuration and/or the Link-
State Advertisements (LSAs) that the FortiGate unit obtains and generates. An LSA identifies the
interfaces of all OSPF-enabled routers in an area, and provides information that enables OSPF-
enabled routers to select the shortest path to a destination.
Command syntax
get r out er i nf o ospf <keywor d>
bor der - r out er s Show OSPF routing table entries that have an Area Border Router (ABR)
or Autonomous System Boundary Router (ASBR) as a destination.
dat abase <qual i f i er > Show information from the OSPF routing database according to one of
these qualifiers.
t ar get can be one of the following values:
Type adv_r out er <addr ess_i pv4>to limit the information to LSAs
originating from the router at the specified IP address.
Type sel f - or i gi nat e <addr ess_i pv4>to limit the information to
LSAs originating from the FortiGate unit.
adv- r out er
<addr ess_i pv4>
Type adv- r out er <addr ess_i pv4> to show ospf Advertising Router
link states for the router at the given IP address.
asbr - summar y
<t ar get >
Type asbr - summar y to show information about ASBR summary LSAs.
br i ef Type br i ef to show the number and type of LSAs associated with each
OSPF area.
ext er nal <t ar get > Type ext er nal to show information about external LSAs.
maxage Type maxage to show all LSAs in the MaxAge list.
net wor k <t ar get > Type net wor k to show information about network LSAs.
nssa- ext er nal
<t ar get >
Type nssa- ext er nal to show information about not-so-stubby external
LSAs.
opaque- ar ea
<addr ess_i pv4>
Type opaque- ar ea <addr ess_i pv4>to show information about
opaque Type 10 (area-local) LSAs (see RFC 2370).
opaque- as
<addr ess_i pv4>
Type opaque- as <addr ess_i pv4>to show information about opaque
Type 11 LSAs (see RFC 2370), which are flooded throughout the AS.
opaque- l i nk
<addr ess_i pv4>
Type opaque- l i nk <addr ess_i pv4>to show information about
opaque Type 9 (link-local) LSAs (see RFC 2370).
r out er <t ar get > Type r out er to show information about router LSAs.
sel f - or i gi nat e Type sel f - or i gi nat e to show self-originated LSAs.
summar y <t ar get > Type summar y to show information about summary LSAs.
i nt er f ace
[ ]
Show the status of one or all FortiGate interfaces and whether OSPF is
enabled on those interfaces.
596 01-30005-0015-20070803
router info ospf get
Examples
The following example shows how to display information from LSAs originating from a neighboring
router at IP address 10.2.4.1:
get r out er i nf o ospf dat abase r out er adv_r out er 10. 2. 4. 1
The following example shows how to display the number and type of LSAs associated with each OSPF
area to which the FortiGate unit is linked:
get r out er i nf o ospf dat abase br i ef
The following command shows the status of all FortiGate interfaces and whether OSPF is enabled on
those interfaces.
get r out er i nf o ospf i nt er f ace
Command history
Related topics
system interface
router ospf
nei ghbor [ al l |
<nei ghbor _i d> | det ai l |
det ai l al l | i nt er f ace
<addr ess_i pv4>]
Show general information about OSPF neighbors, excluding down-status
neighbors:
Type al l to show information about all neighbors, including down-
status neighbors.
Type <nei ghbor _i d>to show detailed information about the
specified neighbor only.
Type det ai l to show detailed information about all neighbors,
excluding down-status neighbors.
Type det ai l al l to show detailed information about all neighbors,
including down-status neighbors.
Type i nt er f ace <addr ess_i pv4>to show neighbor information
based on the FortiGate interface IP address that was used to establish
the neighbors relationship.
r out e Show the OSPF routing table.
st at us Show general information about the OSPF routing processes.
vi r t ual - l i nks Show information about OSPF virtual links.
FortiOS v2.80 MR2 Renamed from execut e r out er show ospf .
FortiOS v2.80 MR7 Added st at us keyword.
FortiOS v3.0 Added variants of the dat abase and nei ghbor keywords.
01-30005-0015-20070803 597
router info protocols
Use this command to show the current states of active routing protocols. Inactive protocols are not
displayed.
Command syntax
#get r out er i nf o pr ot ocol s
Rout i ng Pr ot ocol i s " r i p"
Sendi ng updat es ever y 30 seconds wi t h +/ - 50%
Ti meout af t er 180 seconds, gar bage col l ect af t er 120 seconds
Out goi ng updat e f i l t er l i st f or al l i nt er f ace i s not set
I ncomi ng updat e f i l t er l i st f or al l i nt er f ace i s not set
Def aul t r edi st r i but i on met r i c i s 1
Redi st r i but i ng:
Def aul t ver si on cont r ol : send ver si on 2, r ecei ve ver si on 2
I nt er f ace Send Recv Key- chai n
Rout i ng f or Net wor ks:
Rout i ng I nf or mat i on Sour ces:
Gat eway Di st ance Last Updat e Bad Packet s Bad Rout es
Di st ance: ( def aul t i s 120)
Rout i ng Pr ot ocol i s " ospf 0"
I nval i d af t er 0 seconds, hol d down 0, f l ushed af t er 0
Out goi ng updat e f i l t er l i st f or al l i nt er f aces i s
I ncomi ng updat e f i l t er l i st f or al l i nt er f aces i s
Rout i ng f or Net wor ks:
Rout i ng I nf or mat i on Sour ces: Gat eway Di st ance Last Updat e
Di st ance: ( def aul t i s 110) Addr ess Mask Di st ance Li st
Rout i ng Pr ot ocol i s " bgp 5"
I GP synchr oni zat i on i s di sabl ed
Aut omat i c r out e summar i zat i on i s di sabl ed
Def aul t l ocal - pr ef er ence appl i ed t o i ncomi ng r out e i s 100
Nei ghbor ( s) :
Addr ess Addr essFami l y Fi l t I n Fi l t Out Di st I n Di st Out Rout eMapI n
Rout eMapOut Wei ght
192. 168. 20. 10 uni cast
Command history
Related topics
get router info rip
router rip
router ospf
FortiOS v2.80 New.
FortiOS v2.80 MR2 Renamed from execut e r out er show pr ot ocol s.
598 01-30005-0015-20070803
router info rip get
router info rip
Use this command to display information about the RIP configuration.
Command syntax
get r out er i nf o r i p <keywor d>
Example
The following command displays the RIP configuration information for the port1 interface:
get r out er i nf o r i p i nt er f ace por t 1
Command history
Related topics
router rip
system interface
dat abase Show the entries in the RIP routing database.
i nt er f ace [ ] Show the status of the specified FortiGate unit interface
and whether RIP is enabled.
If interface is used alone it lists all the FortiGate unit interfaces and
whether RIP is enabled on each.
FortiOS v2.80 New.
FortiOS v2.80 MR2 Renamed from execut e r out er show r i p.
FortiOS v3.0 Added optional i nt er f ace_name component to i nt er f ace attribute.
FortiOS v3.0 MR2 Move from router to get chapter.
01-30005-0015-20070803 599
router info routing-table
Use this command to display the routes in the routing table.
Command syntax
get r out er i nf o r out i ng- t abl e <keywor d>
Example
The following command displays the entire routing table:
get r out er i nf o r out i ng- t abl e al l
Command history
Related topics
get router info rip
router policy
router rip
router static
router static6
system interface
al l Show all entries in the routing table.
bgp Show the BGP routes in the routing table.
connect ed Show the connected routes in the routing table.
dat abase Show the routing information database.
det ai l s [ <addr ess_i pv4mask>] Show detailed information about a route in the routing table, including
the next-hop routers, metrics, outgoing interfaces, and protocol-specific
information.
ospf Show the OSPF routes in the routing table.
r i p Show the RIP routes in the routing table.
st at i c Show the static routes in the routing table.
FortiOS v2.80 New.
FortiOS v2.80 MR2 Renamed from execut e r out er show r out i ng_t abl e.
FortiOS v3.0 Added <keywor d>variable to command syntax and replaced underscore character in
command with hyphen.
FortiOS v3.0 MR1 Added dat abase keywor d.
600 01-30005-0015-20070803
system admin list get
system admin list
View a list of all the current administration sessions.
get syst emadmi n l i st
Example
# get syst emadmi n l i st
user name l ocal devi ce r emot e st ar t ed
admi n sshv2 por t 1: 172. 20. 120. 148: 22 172. 20. 120. 16: 4167 2006- 08- 09 12: 24: 20
admi n ht t ps por t 1: 172. 20. 120. 148: 443 172. 20. 120. 161: 56365 2006- 08- 09 12: 24: 20
admi n ht t ps por t 1: 172. 20. 120. 148: 443 172. 20. 120. 16: 4214 2006- 08- 09 12: 25: 29
Command history
user name Name of the admin account for this session admi n
l ocal The protocol this session used to connect to the
FortiGate unit.
sshv2
devi ce The interface, IP address, and port used by this
session to connect to the FortiGate unit.
por t 1: 172. 20. 120. 148: 22
r emot e The IP address and port used by the originating
computer to connect to the FortiGate unit.
172. 20. 120. 16: 4167
st ar t ed The time the current session started. 2006- 08- 09 12: 24: 20
get system admin status
01-30005-0015-20070803 601
system admin status
View the status of the currently logged in admin and their session.
get syst emadmi n st at us
Example
# get syst emadmi n st at us
user name: admi n
l ogi n l ocal : sshv2
l ogi n devi ce: por t 1: 172. 20. 120. 148: 22
l ogi n r emot e: 172. 20. 120. 16: 4167
l ogi n vdom: r oot
l ogi n st ar t ed: 2006- 08- 09 12: 24: 20
cur r ent t i me: 2006- 08- 09 12: 32: 12
Command history
user name Name of the admin account currently logged in. user name: admi n
l ogi n l ocal The protocol used to start the current session. l ogi n l ocal : sshv2
l ogi n devi ce The login information from the FortiGate unit
including interface, IP address, and port number.
l ogi n r emot e:
172. 20. 120. 16: 4167
l ogi n r emot e The computer the user is logging in from including
the IP address and port number.
l ogi n r emot e:
172. 20. 120. 16: 4167
l ogi n vdom The virtual domain the admin is current logged into. l ogi n vdom: r oot
l ogi n st ar t ed The time the current session started. l ogi n st ar t ed: 2006- 08-
09 12: 24: 20
cur r ent t i me The current time of day on the FortiGate unit cur r ent t i me: 2006- 08-
09 12: 32: 12
602 01-30005-0015-20070803
system arp get
system arp
View the ARP table entries on the FortiGate unit.
get syst emar p
Example
# get syst emar p
Addr ess Age( mi n) Har dwar e Addr I nt er f ace
172. 20. 120. 16 0 00: 0d: 87: 5c: ab: 65 i nt er nal
172. 20. 120. 138 0 00: 08: 9b: 09: bb: 01 i nt er nal
Command history
Related topics
system arp-table
system proxy-arp
Addr ess The IP address that is linked to the MAC address. 0. 0. 0. 0
Age Current duration of the ARP entry in minutes. 0
Har dwar e Addr The hardware, or MAC address, to link with this IP
address.
00: 00: 00: 00: 00: 00:
I nt er f ace The physical interface the address is on.
FortiOS v3.0 New.
FortiOS v3.0 MR2 Moved from system to get chapter.
FortiOS v3.0 MR4 Output format changed.
get system central-mgmt status
01-30005-0015-20070803 603
system central-mgmt status
View information about the Central Management System status.
get syst emcent r al - mgmt st at us
Example
# get syst emcent r al - mgmt st at us
Cent r al Management Ser vi ce
Li cense: 1. 0
Expi r y dat e: 2007- 12- 31 00: 00: 00
Command history
604 01-30005-0015-20070803
system checksum get
system checksum
View the checksums for global, root, and all.
get syst emchecksumst at us
Example
# get syst emchecksumst at us
gl obal : 7a 87 3c 14 93 bc 98 92 b0 58 16 f 2 eb bf a4 15
r oot : bb a4 80 07 42 33 c2 f f f 1 b5 6e f e e4 bb 45 f b
al l : 1c 28 f 1 06 f a 2e bc 1f ed bd 6b 21 f 9 4b 12 88
Command history
get system cmdb status
01-30005-0015-20070803 605
system cmdb status
View information about cmbdsvr on the FortiGate unit. FortiManager uses some of this information.
get syst emcmdb st at us
Example
# get syst emcmdb st at us
ver si on: 1
owner i d: 18
updat e i ndex: 6070
conf i g checksum: 12879299049430971535
l ast r equest pi d: 68
l ast r equest t ype: 29
l ast r equest : 78
Command history
ver si on Version of the cmdb software.
owner i d Process ID of the cndbsvr daemon.
updat e i ndex The updated index shows how many changes have been made in cmdb.
conf i g checksum The config file version used by FortiManager.
l ast r equest pi d The last process to access the cmdb.
l ast r equst t ype Type of the last attempted access of cmdb.
l ast r equest The number of the last attempted access of cmdb.
606 01-30005-0015-20070803
system dashboard get
system dashboard
Display organization of the modules on the dashboard. The order the modules are listed in is the order
they appear - top to bottom, left to right.
FortiManager uses this information.
get syst emcmdb st at us
Example
# get syst emdashboar d
== [ sysi nf o ]
name: sysi nf o hel p: syst emi nf or mat i on
== [ l i ci nf o ]
name: l i ci nf o hel p: l i cense i nf or mat i on
== [ sysop ]
name: sysop hel p: syst emoper at i on
== [ sysr es ]
name: sysr es hel p: syst emr esour ce
== [ al er t ]
name: al er t hel p: al er t consol e
== [ st at i st i cs ]
name: st at i st i cs hel p: st at i st i cs
== [ j sconsol e ]
name: j sconsol e hel p: CLI consol e
Command history
get system fortianalyzer-connectivity
01-30005-0015-20070803 607
system fortianalyzer-connectivity
Display connection and remote disk usage information about a connected FortiAnalyzer unit.
get f or t i anal yzer - connect i vi t y st at us
Example
# get syst emf or t i anal yzer - connect i vi t y st at us
St at us: connect ed
Di sk Usage: 0%
Command history
608 01-30005-0015-20070803
system fortiguard-log-service status get
system fortiguard-log-service status
Command returns information about the status of the FortiGuard Log & Analysis Service including
license and disk information.
get syst emf or t i guar d- l og- ser vi ce st at us
Example
This shows a sample output.
# get syst emf or t i guar d- l og- ser vi ce st at us
For t i Guar d Log & Anal ysi s Ser vi ce
Expi r e on: 20071231
Tot al di sk quot a: 1111 MB
Max dai l y vol ume: 111 MB
Cur r ent di sk quot a usage: n/ a
Command history
get system fortiguard-service status
01-30005-0015-20070803 609
system fortiguard-service status
COMMAND REPLACED. Command returns information about the status of the FortiGuard service
including the name, version late update, method used for the last update and when the update expires.
This information is shown for the AV Engine, virus definitions, attack definitions, and the IPS attack
engine.
get syst emf or t i guar d- ser vi ce st at us
Example
This shows a sample output.
NAME VERSI ON LAST UPDATE METHOD EXPI RE
AV Engi ne 2. 002 2006- 01- 26 19: 45: 00 manual 2006- 06- 12 08: 00: 00
Vi r us Def i ni t i ons 6. 513 2006- 06- 02 22: 01: 00 manual 2006- 06- 12 08: 00: 00
At t ack Def i ni t i ons 2. 299 2006- 06- 09 19: 19: 00 manual 2006- 06- 12 08: 00: 00
I PS At t ack Engi ne 1. 015 2006- 05- 09 23: 29: 00 manual 2006- 06- 12 08: 00: 00
Command history
FortiOS v3.0 MR5 Command replaced with get syst emcent r al - mgmt st at us
610 01-30005-0015-20070803
system ha status get
system ha status
Use this command to display information about an HA cluster. The command displays general HA
configuration settings. The command also displays information about how the cluster unit that you
have logged into is operating in the cluster.
Usually you would log into the primary unit CLI using SSH or telnet. In this case the get syst emha
st at us command displays information about the primary unit first, and also displays the HA state of
the primary unit (the primary unit operates in the work state). However, if you log into the primary unit
and then use the execut e ha manage command to log into a subordinate unit, (or if you use a
console connection to log into a subordinate unit) the get syst emst at us command displays
information about this subordinate unit first, and also displays the HA state of this subordinate unit. The
state of a subordinate unit is work for an active-active cluster and standby for an active-passive cluster.
For a virtual cluster configuration, the get syst emha st at us command displays information about
how the cluster unit that you have logged into is operating in virtual cluster 1 and virtual cluster 2. For
example, if you connect to the cluster unit that is the primary unit for virtual cluster 1 and the
subordinate unit for virtual cluster 2, the output of the get syst emha st at us command shows
virtual cluster 1 in the work state and virtual cluster 2 in the standby state. The get syst emha
st at us command also displays additional information about virtual cluster 1 and virtual cluster 2.
Command syntax
get syst emha st at us
The command display includes the following fields. For more information see the examples that follow.
Model The FortiGate model number.
Mode The HA mode of the cluster: a-a or a-p.
Gr oup The group ID of the cluster.
Debug The debug status of the cluster.
ses_pi ckup The status of session pickup: enable or disable.
l oad_bal ance The status of the l oad- bal ance- al l keyword: enable or disable. Relevant to
active-active clusters only.
schedul e The active-active load balancing schedule. Relevant to active-active clusters only.
Mast er
Sl ave
Mast er displays the device priority, host name, serial number, and cluster index of the
primary (or master) unit.
Sl ave displays the device priority, host name, serial number, and cluster index of the
subordinate (or slave, or backup) unit or units.
The list of cluster units changes depending on how you log into the CLI. Usually you
would use SSH or telnet to log into the primary unit CLI. In this case the primary unit
would be at the top the list followed by the other cluster units.
If you use execut e ha manage or a console connection to log into a subordinate
unit CLI, and then enter get syst emha st at us the subordinate unit that you have
logged into appears at the top of the list of cluster units.
number of vcl ust er The number of virtual clusters. If virtual domains are not enabled, the cluster has one
virtual cluster. If virtual domains are enabled the cluster has two virtual clusters.
get system ha status
01-30005-0015-20070803 611
Examples
The following example shows get syst emha st at us output for a cluster of two FortiGate-5001
units operating in active-active mode. The cluster group ID, session pickup, load balance all, and the
load balancing schedule are all set to the default values. The device priority of the primary unit is also
set to the default value. The device priority of the subordinate unit has been reduced to 100. The host
name of the primary unit is 5001_Sl ot _4. The host name of the subordinate unit in is 5001_Sl ot _3.
The command output was produced by connecting to the primary unit CLI (host name 5001_Sl ot _4).
Model : 5000
Mode: a- a
Gr oup: 0
Debug: 0
ses_pi ckup: di sabl e
l oad_bal ance: di sabl e
schedul e: r ound r obi n
Mast er : 128 5001_Sl ot _4 FG50012204400045 1
Sl ave : 100 5001_Sl ot _3 FG50012205400050 0
number of vcl ust er : 1
vcl ust er 1: wor k 10. 0. 0. 2
Mast er : 0 FG50012204400045
Sl ave : 1 FG50012205400050
vcl ust er 1 The HA state (hello, work, or standby) and HA heartbeat IP address of the cluster unit
that you have logged into in virtual cluster 1. If virtual domains are not enabled,
vcl ust er 1 displays information for the cluster. If virtual domains are enabled,
vcl ust er 1 displays information for virtual cluster 1.
The HA heartbeat IP address is 10.0.0.2 if you are logged into a the primary unit of
virtual cluster 1 and 10.0.0.1 if you are logged into a subordinate unit of virtual cluster
1.
vcl ust er 1 also lists the primary unit (master) and subordinate units (slave) in
virtual cluster 1. The list includes the cluster index and serial number of each cluster
unit in virtual cluster 1. The cluster unit that you have logged into is at the top of the
list.
If virtual domains are not enabled and you connect to the primary unit CLI, the HA
state of the cluster unit in virtual cluster 1 is work. The display lists the cluster units
starting with the primary unit.
If virtual domains are not enabled and you connect to a subordinate unit CLI, the HA
state of the cluster unit in virtual cluster 1 is standby. The display lists the cluster units
starting with the subordinate unit that you have logged into.
If virtual domains are enabled and you connect to the virtual cluster 1 primary unit CLI,
the HA state of the cluster unit in virtual cluster 1 is work. The display lists the cluster
units starting with the virtual cluster 1 primary unit.
If virtual domains are enabled and you connect to the virtual cluster 1 subordinate unit
CLI, the HA state of the cluster unit in virtual cluster 1 is standby. The display lists the
cluster units starting with the subordinate unit that you are logged into.
vcl ust er 2 vcl ust er 2 only appears if virtual domains are enabled. vcl ust er 2 displays the
HA state (hello, work, or standby) and HA heartbeat IP address of the cluster unit that
you have logged into in virtual cluster 2. The HA heartbeat IP address is 10.0.0.2 if you
are logged into the primary unit of virtual cluster 2 and 10.0.0.1 if you are logged into a
subordinate unit of virtual cluster 2.
vcl ust er 2 also lists the primary unit (master) and subordinate units (slave) in
virtual cluster 2. The list includes the cluster index and serial number of each cluster
unit in virtual cluster 2. The cluster unit that you have logged into is at the top of the
list.
If you connect to the virtual cluster 2 primary unit CLI, the HA state of the cluster unit in
virtual cluster 2 is wor k. The display lists the cluster units starting with the virtual
cluster 2 primary unit.
If you connect to the virtual cluster 2 subordinate unit CLI, the HA state of the cluster
unit in virtual cluster 2 is st andby. The display lists the cluster units starting with the
subordinate unit that you are logged into.
612 01-30005-0015-20070803
system ha status get
The following command output was produced by using execut e HA manage 0 to log into the
subordinate unit CLI of the cluster shown in the previous example. The host name of the subordinate
unit is 5001_Sl ot _3.
Model : 5000
Mode: a- a
Gr oup: 0
Debug: 0
ses_pi ckup: di sabl e
l oad_bal ance: di sabl e
schedul e: r ound r obi n
Sl ave : 100 5001_Sl ot _3 FG50012205400050 0
Mast er : 128 5001_Sl ot _4 FG50012204400045 1
number of vcl ust er : 1
vcl ust er 1: wor k 10. 0. 0. 2
Sl ave : 1 FG50012205400050
Mast er : 0 FG50012204400045
Command history
Related topics
system ha
execute ha manage
get system info admin ssh
01-30005-0015-20070803 613
system info admin ssh
Use this command to display information about the SSH configuration on the FortiGate unit such as:
the SSH port number
the interfaces with SSH enabled
the hostkey DSA fingerprint
the hostkey RSA fingerprint
get syst emi nf o admi n ssh
Example
This shows sample output.
# get syst emi nf o admi n ssh
SSH v2 i s enabl ed on por t 22
SSH i s enabl ed on t he f ol l owi ng 1 i nt er f aces:
i nt er nal
SSH host key DSA f i nger pr i nt =
cd: e1: 87: 70: bb: f 0: 9c: 7d: e3: 7b: 73: f 7: 44: 23: a5: 99
SSH host key RSA f i nger pr i nt =
c9: 5b: 49: 1d: 7c: ba: be: f 3: 9d: 39: 33: 4d: 48: 9d: b8: 49
Command history
Related topics
system accprofile
execute disconnect-admin-session
FortiOS v3.0 MR4 Output changed - added SSH hostkey RSA fingerprint.
614 01-30005-0015-20070803
system info admin status get
system info admin status
Use this command to display administrators that are logged into the FortiGate unit.
get syst emi nf o admi n st at us
Example
This shows sample output.
I ndex User name Logi n t ype Fr om
0 admi n CLI ssh( 172. 20. 120. 16)
1 admi n WEB 172. 20. 120. 16
Command history
Related topics
get system info admin ssh
I ndex The order the administrators logged in. 0
User name The name of the user account logged in. admi n
Logi n t ype Which interface was used to log in. CLI
Fr om The IP address this user logged in from. 172. 20. 120. 16
get system performance status
01-30005-0015-20070803 615
system performance status
Use this command to display FortiGate CPU usage, memory usage, network usage, sessions, virus,
IPS attacks, and system up time.
get syst emper f or mance st at us
Example
# get sys per st at us
CPU st at es: 0%user 0%syst em0%ni ce 100%i dl e
Memor y st at es: 18%used
Aver age net wor k usage: 0 kbps i n 1 mi nut e, 0 kbps i n 10 mi nut es, 1 kbps i n
30 mi nut es
Aver age sessi ons: 5 sessi ons i n 1 mi nut e, 6 sessi ons i n 10 mi nut es, 5
sessi ons i n 30 mi nut es
Vi r us caught : 0 t ot al i n 1 mi nut e
I PS at t acks bl ocked: 0 t ot al i n 1 mi nut e
Upt i me: 9days, 22 hour s, 0 mi nut es
CPU st at es The percentages of CPU cycles used by user,
system, nice and idle categories of processes.
0%user 0%syst em
0%ni ce 100%i dl e
Memor y st at es The percentage of memory used. 18%used
Aver age net wor k
usage
The average amount of network traffic in kbps in the last
1, 10 and 30 minutes.
0 kbps i n
1 mi nut e,
0 kbps i n
10 mi nut es,
1 kbps i n
30 mi nut es
Aver age
sessi ons
The average number of sessions connected to the
FortiGate unit over the list 1, 10 and 30 minutes.
5 sessi ons i n
1 mi nut e,
6 sessi ons i n
10 mi nut es,
5 sessi ons i n
30 mi nut es
Vi r us caught The number of viruses the FortiGate unit has caught in
the last 1 minute.
0 t ot al i n 1 mi nut e
I PS at t acks
bl ocked
The number of IPS attacks that have been blocked in the
last 1 minute.
0 t ot al i n 1 mi nut e
Upt i me How long since the FortiGate unit has been restarted. 9 days, 22 hour s,
0 mi nut es
616 01-30005-0015-20070803
system performance status get
Command history
FortiOS v3.0 Added.
FortiOS v3.0 MR2 Changed to get system performance status and moved from system to
get chapter.
FortiOS v3.0 MR3 Output of command changed to include more CPU information, average
network traffic, average sessions, viruses caught, and IPS attacks
blocked.
get system session list
01-30005-0015-20070803 617
system session list
Command returns a list of all the sessions active on the FortiGate unit.
get syst emsessi on l i st
Example
PROTO EXPI RE SOURCE SOURCE- NAT DESTI NATI ON DESTI NATI ON- NAT
t cp 0 127. 0. 0. 1: 1083 - 127. 0. 0. 1: 514 -
t cp 0 127. 0. 0. 1: 1085 - 127. 0. 0. 1: 514 -
t cp 10 127. 0. 0. 1: 1087 - 127. 0. 0. 1: 514 -
t cp 20 127. 0. 0. 1: 1089 - 127. 0. 0. 1: 514 -
t cp 30 127. 0. 0. 1: 1091 - 127. 0. 0. 1: 514 -
t cp 40 127. 0. 0. 1: 1093 - 127. 0. 0. 1: 514 -
t cp 60 127. 0. 0. 1: 1097 - 127. 0. 0. 1: 514 -
t cp 70 127. 0. 0. 1: 1099 - 127. 0. 0. 1: 514 -
t cp 80 127. 0. 0. 1: 1101 - 127. 0. 0. 1: 514 -
t cp 90 127. 0. 0. 1: 1103 - 127. 0. 0. 1: 514 -
t cp 100 127. 0. 0. 1: 1105 - 127. 0. 0. 1: 514 -
t cp 110 127. 0. 0. 1: 1107 - 127. 0. 0. 1: 514 -
t cp 103 172. 20. 120. 16: 3548 - 172. 20. 120. 133: 22 -
t cp 3600 172. 20. 120. 16: 3550 - 172. 20. 120. 133: 22 -
udp 175 127. 0. 0. 1: 1026 - 127. 0. 0. 1: 53 -
t cp 5 127. 0. 0. 1: 1084 - 127. 0. 0. 1: 514 -
t cp 5 127. 0. 0. 1: 1086 - 127. 0. 0. 1: 514 -
t cp 15 127. 0. 0. 1: 1088 - 127. 0. 0. 1: 514 -
t cp 25 127. 0. 0. 1: 1090 - 127. 0. 0. 1: 514 -
t cp 45 127. 0. 0. 1: 1094 - 127. 0. 0. 1: 514 -
t cp 59 127. 0. 0. 1: 1098 - 127. 0. 0. 1: 514 -
t cp 69 127. 0. 0. 1: 1100 - 127. 0. 0. 1: 514 -
t cp 79 127. 0. 0. 1: 1102 - 127. 0. 0. 1: 514 -
t cp 99 127. 0. 0. 1: 1106 - 127. 0. 0. 1: 514 -
t cp 109 127. 0. 0. 1: 1108 - 127. 0. 0. 1: 514 -
t cp 119 127. 0. 0. 1: 1110 - 127. 0. 0. 1: 514 -
Command history
PROTO The transfer protocol of the session. t cp
EXPI RE How long before this session will terminate. 3600
SOURCE The source IP address and port number. 127. 0. 0. 1: 1083
SOURCE- NAT The source of the NAT. - indicates there is no NAT. -
DESTI NATI ON The destination IP address and port number. 127. 0. 0. 1: 514
DESTI NATI ON- NAT The destination of the NAT. - indicates there is no NAT. -
618 01-30005-0015-20070803
system status get
system status
Use this command to display system status information including:
FortiGate firmware version, build number and branch point
virus and attack definitions version
FortiGate unit serial number and BIOS version
log hard disk availability
host name
operation mode
virtual domains status: current VDOM, max number of VDOMs, number of NAT and TP mode
VDOMs and VDOM status
current HA status
system time
get syst emst at us
Example output
Ver si on: For t i gat e- 500A 3. 00, bui l d0305, 060512
Vi r us- DB: 6. 473( 2006- 05- 12 10: 21)
I PS- DB: 2. 295( 2006- 05- 09 11: 30)
Ser i al - Number : FG500A2904500004
BI OS ver si on: 03006000
Log har d di sk: Avai l abl e
Host name: For t i Gat e- 500A
Oper at i on Mode: NAT
Cur r ent vi r t ual domai n: r oot
Max number of vi r t ual domai ns: 10
Vi r t ual domai ns st at us: 1 i n NAT mode, 0 i n TP mode
Vi r t ual domai n conf i gur at i on: di sabl e
Common Cr i t er i a mode: di sabl e
Cur r ent HA mode: st andal one
Di st r i but i on: I nt er nat i onal
Br anch poi nt : 305
Syst emt i me: Mon May 15 13: 39: 03 2006
Command history
Related topics
hardware status
FortiOS v3.0 Added.
FortiOS v3.0 MR2 Moved from system to get chapter.
Index
01-30005-0015-20070803 619
Index
Numerics
224B 279
3600A 366
3810B 366
A
abort 35
abr-type
router ospf 226
accept-lifetime
router key-chain 212
access control list 405
access-group
router multicast interface igmp 219
access-list 201
router 192
router ospf 232
router rip distance 247
router rip offset-list 251
accprofile
system 292
system admin 296
ACK 329
acl
system wireless mac-filter 405
action
antivirus filepattern 70
firewall multicast-policy 90
firewall policy 93
imp2p aim-user 142
imp2p icq-user 143
imp2p msn-user 144
ips anomaly 151
ips group 588
ips group config rule 158
router access-list 192
router aspath-list 194
router prefix-list 242
router route-map 254
spamfilter bword 265
spamfilter DNSBL 278
spamfilter emailbwl 268
spamfilter ipbwl 272
spamfilter mheader 275
webfilter urlfilter 503
activate
router bgp neighbor 202
active
antivirus filepattern 70
active sessions 617
address
firewall 82
log report output 182
system autoupdate clientoverride 301
system autoupdate override 303
system autoupdate push-update 304
system autoupdate tunneling 308
address overlap 328
address-mode
system fortianalyzer 320
addrgrp
firewall 84
admin
log filter 163
system 295
admingrp
access group for system accprofile 292
administrator access
access profiles description 28
system accprofile command 292
administrators
info 614
list 600
admin-port
system global 327
admin-sport
system global 327
admintimeout
system global 328
ADSL
bridged mode 352
ipoa 352
Advanced Encryption Standard (AES) 356
advertise
router ospf area filter-list 230
router ospf summary-address 237
advertisement-interval
agelimit
antivirus quarantine 75
aggregate interface 358, 359
algorithm 359
lacp-ha-slave 359
lacp-mode 359
lacp-speed 359
member 359
aggregate route 198
aim
firewall profile 105
imp2p old-version 145
imp2p policy 146
aim-user
imp2p 142
620 01-30005-0015-20070803
Index
alertemail
system 298
algorithm
system interface 359
vpn ssl settings 482
all
execute ha synchronize 526
router info routing-table 599
alllogs
execute backup 506
allowaccess
system interface 349, 357
allowas-in
allowas-in-enable
allowed
log filter 163
allow-interface-subnet-overlap
system global 328
altmode
system modem 363
always-compare-med
router bgp 199
anomaly
ips 150
log filter 163
anomaly detection 331
antispam 263
antispam-cache
system fortiguard 323
antispam-cache-ttl
antispam-timeout
antivirus 69
antivirus configuration 292
AP mode
system wireless settings 407
area
router ospf network 233
area border router (ABR) 224, 228
ARP
proxy ARP 130
arp
system 602
ARP packets 333, 349
ARP table
adding entries 367
display 602
arpforward
arps
system ha 338
arp-table
system 299
as
router bgp 199
AS-path list 194
aspath-list
router 194
as-set
router bgp aggregate-address 202
attack
log filter 163
attackdef
attribute-unchanged
audit
log report scope 186
auth
log filter 163
system bug-report 311
auth-alg
vpn ipsec manualkey-interface 443
authenticate
system alertemail 298, 299
authentication
router ospf area 229
router ospf area virtual-link 230
router ospf ospf-interface 234
system ha 338
vpn ipsec manualkey 440
authentication keys, RIP v2 212
authentication-key
authgrp
auth-key
authkey
auth-keychain
router rip interface 249
authmethod
vpn ipsec phase1 447
vpn ipsec phase1-interface 455
auth-mode
authpasswd
auth-string
auth-timeout
authtimeout
system global 328
auth-type
authusr
authusrgrp
auto
execute vpn certificate ca 570
execute vpn certificate crl 572
auto-dial
system modem 363
Index
01-30005-0015-20070803 621
auto-install 300
Automatic Refresh Interval 331
autonomous system (AS) 199
Autonomous System, bgp 199
autonomous-flag
system interface config ipv6-prefix 358
autosvr
system dns 317
system 301
autoupdate ips
system 302
autoupdate override
system 303
system 304
autoupdate schedule
system 306
system 308
aux
system 310
AUX port configuration 310
AV/IPS signature reporting 329
av-failopen
system global 328
av-failopen-session
system global 328
avgrp
system accprofile 292
avquery-cache
avquery-cache-ttl
avquery-status
avupd
B
backdoor
router bgp network 207
backplane interfaces 332
backup ipsec interface
example 462
monitor-phase1 457
backup, execute 506
bandwidth limiting for interfaces 351
batch
execute 508
batch mode 329
batch_cmdb
system global 329
baudrate
system console 312
beacon_interval
bestpath-as-path-ignore
router bgp 199
bestpath-cmp-confed-aspath
router bgp 199
bestpath-cmp-routerid
router bgp 199
bestpath-med-confed
router bgp 199
bestpath-med-missing-as-worst
router bgp 199
BGP 403
AS-path list 194
BGP-4 196
External 199
Internal 199
logging neighbor changes 201
memory table 590
RFC 1771 196
RFC 1997 196
storing updates from neighbor 206
bgp
router 196
bindthroughfw
firewall ipmacbinding setting 86
bindtofw
bittorrent
bittorrent-limit
blackhole
router static 259
blackhole route 355, 360
blocked
log filter 163
BOOTP Vendor Extensions 315
border-routers
router info ospf 595
bridged mode 352
broadcast_ssid
bsr-allow-quick-refresh
router multicast interface pim-smglobal 220
buffer
system replacemsg auth 368, 369, 371, 386
system replacemsg fortiguard-wf 374
system replacemsg ftp 376
system replacemsg http 378, 380
system replacemsg im 382
system replacemsg mail 384
system replacemsg spam 388
system replacemsg sslvpn 390
bug-report
system 311
bword
spamfilter 264
webfilter 492
C
ca
cache
spamfilter fortishield 270
622 01-30005-0015-20070803
Index
cache-mem-percent
webfilter fortiguard 497
cache-mode
cache-notfound-responses
system dns 317
capability-default-originate
capability-dynamic
capability-graceful-restart
capability-orf
capability-route-refresh
case sensitivity
Perl regular expressions 48
CC-mode
system global 329
certificate
vpn ca 432
vpn crl 433
vpn local 435
certificate ca
vpn 432
certificate crl
vpn 433
certificate local
vpn 435
cfg reload
execute 509
cfg save
execute 510
channel
CHAP 349
chassis status
get 578
check-reset-range
system global 329
China, PPP option 363
Chinese, Simplified 331
Chinese, Traditional 331
CIDR 196
cidr-only
router info bgp 590
cisco-exclude-genid
router multicast interface 218
Classless Interdomain Routing (CIDR) 196
execute 511
Clear to Send (CTS) 356
CLI basics 43
CLI structure 33
client certificate for SSL-VPN 483
client certificate, require for logon 329
client-to-client-reflection
router bgp 199
clt-cert-req
system global 329
cluster 337
virtual 337
cluster-id
router bgp 199
cnid
user ldap 420
command abbreviation 44
command completion 43
command help 43
comment
comments
firewall policy 93
Common Criteria (CC) 329
community
router info bgp 590
community-info
router info bgp 590
community-list
router 209
router info bgp 590
confederation-identifier
router bgp 199
config 35
execute backup 506
ha synchronize 526
restore 550, 551
config checksum
system cmdb status 605
config limit
ips anomaly 150
config router 21
config rule
ips group 157
config srv-ovrd-list
connected
connecting to the CLI 30
through the console 30
using SSH 31
using Telnet 32
connect-timer
conn-tracking
system global 329
console
system 312
console status 581
get 581
console, gui 138
contact-info
system snmp sysinfo 400
cos-map configuration 286
cost
router ospf neighbor 233
counting to infinity loop 249
CPU usage, SNMP event 397
Index
01-30005-0015-20070803 623
csv
log syslogd setting 174
syslogd setting 174
custom
ips 154
customer service 19
D
daily-restart
system global 329
dampening
router bgp 199
router info bgp 590
dampening-max-suppress-time
router bgp 199
dampening-reachability-half-life
router bgp 199
dampening-reuse
router bgp 200
dampening-route-map
router bgp 200
dampening-suppress
router bgp 200
dampening-unreachability-half-life
router bgp 200
database
router info RIP 598
database-filter-out
database-overflow
router ospf 227
database-overflow-max-lsas
router ospf 227
database-overflow-time-to-recover
router ospf 227
data-size
execute ping-options 546
date, execute 513
day
firewall schedule recurring 124
system autoupdate schedule 306
daylight saving time 329
ddns
ddns-domain
ddns-password
ddns-profile-id
ddns-server
ddns-sn
ddns-username
dead gateway detection 330
dead gateway detection interval 329
dead-interval
default
system session-ttl 392
default_action
ips group config rule 158, 588
default_severity
default-acl
default-action
ips anomaly 151
default-cost
default-gateway
system dhcp server 314
defaultgw
default-information-metric
router ospf 227
default-information-metric-type
router ospf 227
default-information-originate
router ospf 227
router rip 246
default-information-route-map
router ospf 227
default-local-preference
router bgp 200
default-metric
router ospf 227
router rip 246
default-severity
ips anomaly 151
delete
shell command 34
denial of service attacks 332
dense mode 215
deploy, execute 514
description
log report definition 180
destination
system ipv6-tunnel 361
details
detection summary statistics 329
detection-summary
system global 329
detectserver
deterministic-med
router bgp 200
device
router static 259
router static6 261
system settings 394
df-bit
624 01-30005-0015-20070803
Index
DHCP exclusion range 316
dhcp lease-clear, execute 515
dhcp lease-list, execute 516
DHCP Options 315
DHCP relay 349
system 313
dhcp server
system 314
DHCP servers, maximum 314
dhcp-ipsec
dhcp-relay-ip
dhcp-relay-service
dhcp-relay-type
dhgrp
diagnose commands 16
dial-on-demand
system modem 363
diffservcode-forward
firewall policy 93
diffservcode-rev
firewall policy 93
diffserv-forward 93
diffserv-reverse
firewall policy 93
direction
router rip distribute-list 248
disconnect-admin-session, execute 517
disc-retry-timeout
disk filter
log 162
disk setting
log 167
diskfull
log disk setting 167
log memory setting 173
display
log trafficfilter 177
distance
router ospf 227
router static 259
system modem 364
distance-external
router bgp 200
router ospf 227
distance-inter-area
router ospf 227
distance-internal
router bgp 200
distance-intra-area
router ospf 227
distance-local
router bgp 200
distribute-list-in
router ospf 227
distribute-list-out
dn
user ldap 420
dns
system 317
DNSBL
spamfilter 277
dns-cache-limit
system dns 317
dns-server
dns-server-override
dns-timeout
spamfilter options 276
dnstranslation
firewall 85
domain
domain name 349
dont-capability-negotiate
downstream router, prune state 219
dpd
dpd-retrycount 456
dpd-retryinterval 456
drive-standby-time
drop-blocked
drop-heuristic
drop-infected
dr-priority
dscp-map configuration 286
dst
firewall dnstranslation 85
log trafficfilter rule 178
router policy 239
router static 260
router static6 261
system global 329
dstaddr
firewall policy 94
Index
01-30005-0015-20070803 625
dst-addr-type
dst-end-ip
dst-end-ip6
dstintf
firewall policy 94
dst-name
dst-port
dst-start-ip
dst-start-ip6
dst-subnet
dst-subnet6
dynamic DNS 349
Dynamic DNS service (DDNS) 349
dynamic routing 353
E
EBGP 199
RFC 3065 196
ebgp-enforce-multihop
ebgp-multihop
ebgp-multihop-ttl
edit 34
system gre-tunnel 335
system mac-address-table 362
editing commands 44
editing the configuration file 46
edonkey 106
edonkey-limit 106
eip
vpn l2tp 477
vpn pptp 479
email
log filter 163
email when virus or spam detected 384
email-attachment-name
email-body
emailbwl
spamfilter 267
emaillists
email-log-imap
log filter 163
email-log-pop3
log filter 163
email-log-smtp
log filter 163
email-pattern
email-subject
enable
enc-alg
enc-key
enckey
encrypted password support 45
encryption 332
ipsec manualkey 441
system ha 338
end
command in a table shell 34
command in an edit shell 35
firewall schedule onetime 123
end-ip
firewall address 82
system dhcp server config exclude-range 315
endip
firewall ippool 89
end-port
router policy 239
enforce-first-as
router bgp 200
Equal Cost Multi-Path (ECMP) 394
event
log filter 163
events
system snmp communities 397
exact-match
example command sequences 39
exclude-summary
execute 505
execute command
backup 506
batch 508
cfg reload 509
cfg save 510
clear system arp table 511
date 513
deploy 514
dhcp lease-clear 515
dhcp lease-list 516
disconnect-admin-session 517
factoryreset 518
626 01-30005-0015-20070803
Index
execute command (continued)
formatlogdisk 519
fortiguard-log delete 520
fortiguard-log update 521
fsae refresh 522
ha disconnect 523
ha manage 524
ha synchronize 526
interface dhcpclient-renew 528
interface pppoe-reconnect 529
log delete-all 530
log delete-filtered 531
log delete-rolled 532
log display 533
log filter 534
log fortianalzyer test-connectivity 536
log list 537
log roll 538
log stats display 539
log stats reset 541
modem dial 542, 552
modem hangup 543
ping 545
ping6 548
ping-options 546
reboot 549
restore 550
router clear bfd 553
router clear bgp 552
router restart 555
set-next-reboot 556
shutdown 557
ssh 558
telnet 559
time 560
traceroute 561
update-av 562
update-ips 563
update-now 564
upd-vd-license 565
usb-disk 566
vpn certificate ca 570
vpn certificate crl 572
vpn certificate local 567
vpn sslvpn del-tunnel 574
expires
webfilter ftgd-ovrd 501
export
extintf
firewall vip 131
extip
firewall vip 131
extport
firewall vip 132
ext-ref
F
facility
factoryreset, execute 518
failed connection attempts 331
fail-open
system global 155
failopen mode, av-failopen 328
failtime
system global 329
fast-external-failover
router bgp 200
FB4 366
FDN
proxy server 308
RFC 2616 308
service 301
FDS
override server 303
field
execute log filter 534
fieldbody
fieldname
file
filepattern
antivirus 70
filter
log 162
filter-list
router info bgp 590
filter-list-in
filter-list-out
filter-string
log report filter 181
FIN packet 332
FIPS/CC 329
Firefox 332
firewall 81
address 82
addrgrp 84
multicast-policy 90
profile 101
firewall configuration
access profile setting 292
firmware performance optimization 331
fixedport
firewall policy 94
fm
system 318
footer-option
log report customization 179
format
formatlogdisk, execute 519
Index
01-30005-0015-20070803 627
fortianalyzer
system 320
fortianalyzer filter
log 162
log 170
FortiGate SNMP agent 400
FortiGate system configuration 329
FortiGate-224B 279
fortiguard
system 322
webfilter 496
FortiGuard Distribution Network (FDN) 303, 304, 308
fortiguard filter
log 162
FortiGuard Log & Analysis
configuration 325
fortiguard setting
log 172
FortiGuard updates 292, 301
fortiguard-log
system 325
execute 520
execute 521
FortiManager 318, 322
scripts 312
FortiManager, configuration 318
fortimanager-discover-helper
Fortinet customer service 19
FortiOS v3.0
MR2 326
fortishield
spamfilter 269
FortiWifi-60
wireless MAC filter 405
wireless settings 406
FortiWifi-60A
interface settings 356
wireless MAC filter 356
forward-domain
fqdn
firewall address 82
fragment_threshold
frequency
FSAE 330
fsae
firewall policy 94
user 414
fsae refresh
execute 522
ftgd-local-cat
webfilter 499
ftgd-local-rating
webfilter 500
ftgd-ovrd
webfilter 501
ftgd-wf-allow
ftgd-wf-block
log filter 163
ftgd-wf-deny
ftgd-wf-errors
log filter 163
ftgd-wf-log
ftgd-wf-options
ftgd-wf-ovrd 107
user group 417
ftgd-wf-ovrd-dur
user group 417
ftgd-wf-ovrd-dur-mode
user group 418
ftgd-wf-ovrd-ext
user group 418
ftgd-wf-ovrd-group
ftgd-wf-ovrd-scope
user group 418
ftgd-wf-ovrd-type
user group 418
ftp
ftp, message added when virus detected 376
ftpcomfortamount 108
ftpcomfortinterval
ftpoversizelimit
fwdintf
system dns 317
fwgrp
G
garbage-timer
router rip 246
gateway 350
default setting for VDOM 393
router policy 239
router static 260
router static6 261
system settings 394
gateway-device
system settings 394
gbandwidth
firewall policy 95
ge
geography
628 01-30005-0015-20070803
Index
get
edit shell command 35
table shell command 34
get commands 577
global
configure global settings 57
ips 155
system 326
gnutella
gnutella-limit
graceful_restart
router bgp 200
grayware
antivirus 72
GRE 249
gre-tunnel
system 335
group
ips 157
user 416
group-id
system ha 338
group-name
system ha 338
groups
firewall policy 95
gui 137
gwdetect
H
HA 337
slave, error messages 329
ha
arps 338
authentication 338
encryption 338
group-id 338
group-name 338
hbdev 339
hb-interval 338
hb-lost-threshold 338
helo-holddown 339
link-failed-signal 339
load-balance-all 339
mode 339
monitor 340
override 340
password 340
priority 340
route-hold 340
route-ttl 340
route-wait 341
schedule 341
secondary-vcluster 342
session-pickup 341
sync-config 341
system 337
system status 610
uninterruptable-upgrade 342
vcluster2 342
vdom 342
weight 342
ha disconnect, execute 523
ha manage, execute 524
ha synchronize, execute 526
hardware status 583
hbdev
system ha 339
hb-interval
system ha 338
hb-lost-threshold
system ha 338
header
log report customization 179
hello-holdtime
hello-interval
helo-holddown
system ha 339
heuristic
antivirus 74
high availability 337
holddown-timer
system modem 364
holdtime-timer
router bgp 200
hop count. 251
hostname
system global 330
http
firewall profile 109, 110
HTTP session, antivirus 380
httpcomfortinterval
http-obfuscate
system global 330
httpoversizelimit
http-retry-count
I
IBGP 199
RFC 1966 196
ICMP dropped packets logging 164
Index
01-30005-0015-20070803 629
icmpcode
firewall service custom 126
icmptype
icq
imp2p policy 146
icq-user
imp2p 143
ICSA compliant logs 164
id
system fm 318
webfilter ftgd-local-cat 499
ident-accept
idle-timeout 483
idle-timer
system modem 364
ie6workaround
system global 330
IEEE 802.1Q 355
IEEE 802.3ad 359
IGMP
RFC 1112 215
RFC 2236 215
RFC 3376 215
igmp-state-limit
router multicast 217
ignore_optional_capability
router bgp 200
ignore-session-bytes 155
IKE 331
im 111
log filter 163
IM, message if blocked 382
image 551
execute restore 551
im-all
log filter 163
imap
imapoversizelimit
imap-spamaction
imap-spamtagmsg
imap-spamtagtype
imoversizelimit
imp2p 141
import
execute vpn certificate crl 572, 573
inbandwidth
config system interface 351
inbound
firewall policy 95
include-nodata
include-summary
include-table-of-content
inconsistent-as
router info bgp 590
infected
log filter 164
info ospf
router 595
info protocols
router 597
info rip
router 598
info routing-table
router 599
initiator
input-device
router policy 240
interface
firewall ippool 89
loopback 355, 360
proxy ARP 130
router info RIP 598
system 346
system ipv6tunnel 361
system mac-address-table 362
system modem 364
system snmp community hosts 398
system zone 409
execute 528
execute 529
interior gateway protocol (IGP) 201
International characters 46
Internet Explorer 330, 332
interval
system global 330
inter-VDOM routing 53
intra-VLAN firewall policy on model 224B 96
intrazone
system zone 409
ip
firewall ipmacbinding table 88
router rip neighbor 250
630 01-30005-0015-20070803
Index
ip (continued)
system dhcp reserved-address 313
system fm 318
system fortiguard 323, 324
system settings 394
system snmp community hosts 398
IP address formats 46
IP address overlap 328
IP datagram
TOS bits 402
IP pool
proxy ARP 130
ip/subnet
spamfilter ipbwl 272
spamfilter iptrust 273
ip6-address
system interface config ipv6 357
ip6-default-life
ip6-hop-limit
ip6-link-mtu
ip6-manage-flag
ip6-max-interval
ip6-min-interval
ip6-other-flag
ip6-reachable-time
ip6-retrans-time
ip6-send-adv
ipaddress
ips anomaly config limit 152
ipbwl
spamfilter 271
firewall 86
ipmacbinding table
firewall 88
ippool
firewall 89
firewall policy 95
ip-protocol
ips global 155
ips 149
ips anomaly
status 584
ips custom status 586
ips group status 587
ips-anomaly
IPSec 249
ipsec
log filter 164
ipsec concentrator
vpn 438
ipsec manualkey
vpn 440
vpn 443
ipsec phase1
vpn 446
vpn 454
ipsec phase2
vpn 463
vpn 470
IPSec tunnel
listing 589
ipsec tunnel list
get 589
IPSec VPN 318
ipsgrp
ips-log
ips-signature
ipsuserdefsig
execute backup 507
execute restore 551
iptrust
spamfilter 273
ipunnumbered
IPv6 348
ipv6-tunnel
system 361
ISP 303
J
join-group
jumbo frames 353
K
kazaa
kazaa-limit
keepalive
keep-alive-timer
router bgp 200
key
Index
01-30005-0015-20070803 631
key-chain
router 212
keylife 456
keylifekbs 465
keylifeseconds 465
keylife-type 465
key-string
L
l2forward
l2tp
vpn 477
lacp-ha-slave
lacp-mode
lacp-speed
language
system global 331
webfilter bword 492, 494
last request
last request pid
last requst type
lcdpin
system global 331
lcdprotection
system global 331
lcp-echo-interval
lcp-max-echo-failures
LDAP 331
ldap
user 420
ldapconntimeout
system global 331
ldap-server
user local 423
le
lease-time
license
license key entry 565
line continuation 44
lines_per_view
execute logfilter 535
Link Aggregation Control Protocol (LACP) 359
link-failed-signal
system ha 339
list
listname
load-balance-all
system ha 339
local
user 423
local-anomaly
system global 331
localcert
local-gw
localid 457
local-spi
localspi
location
log 161
execute backup 506
ips anomaly 151
log delete-all, execute 530
log delete-filtered, execute 531
log delete-rolled, execute 532
log display, execute 533
log filter, execute 534
execute 536
log list, execute 537
log roll, execute 538
log settings 292
log stats display, execute 539
log stats reset, execute 541
log_packet
log-av-block
log-av-oversize
log-av-virus
loggrp
log-im
loglocaldeny
system global 331
log-neighbor-changes
router bgp 201
632 01-30005-0015-20070803
Index
log-spam 114
logtraffic
firewall policy 95
log-web-content
log-web-filter-activex
log-web-filter-applet
log-web-filter-cookie
log-web-ftgd-err
log-web-url
loopback interface 355, 360
lowspace
M
mac
system arp-table 299
system interface, config wifi-mac_list 356
MAC address 354
arp-table 299
macaddr
mac-address-table
system 362
mac-list
mail-sig
mailsig-status
mailto
mailto1, mailto2, mailto3
alertemail setting 65
maintenance commands 292
manageip
system settings 394
management traffic 54
management VDOM 54, 295
management-vdom
system global 331
mappedip
firewall vip 132
mappedport
firewall vip 132
match-as-path
router route-map rule 256
match-community
match-community-exact
match-interface
match-ip-address
match-ip-nexthop
match-metric
match-origin 256
match-route-type
match-tag
maxbandwidth
firewall policy 95
maxfilesize
maximum transmission unit (MTU) 353, 358
maximum-prefix
maximum-prefix-threshold
maximum-prefix-warning-only
max-log-file-size
mc-ttl-notchange
system global 394
md5-key
member
firewall addrgrp 84
firewall service group 128
user group 417
user peergrp 427
vpn ipsec concentrator 438
memory
router info bgp 590
memory filter
log 162
memory setting
log 173
metric
router ospf redistribute 236
router rip redistribute 252
metric-type
mheader
spamfilter 274
mntgrp
mode
antivirus heuristic 74
config system ha 339
system console 312
system modem 364
Index
01-30005-0015-20070803 633
modem
auto-dial 363
backup switchover 364
dial-on-demand 363
execute modem dial command 542, 552
execute modem hangup command 543
redundant 364
standalone 364
system 363
monitor
system ha 340
monitor-phase1
move 34
MS Windows Client 349
msn
imp2p policy 146
msn-user
imp2p 144
MSS TCP 332
mtu
mtu-ignore
Multi Exit Discriminator (MED) 199
multicast
dense mode 215
IGMP 215
router 214
system global 333
multicast memberships 217
multicast-forward
system global 394
multicast-policy
firewall 90
multicast-routing 217
multi-report
fortianalyzer setting 170
log fortianalyzer setting 170
N
name
log report summary-layout 189
system session-helper 391
system snmp community 397
nat
firewall policy 95
NAT device 304
NAT mode, changing 394
NAT/Route mode 332
natinbound
firewall policy 95
natip
firewall policy 95
natoutbound
firewall policy 96
nattraversal
neighbor
neighbors
router info bgp 590
neighbour-filter
NetBIOS 353
netbios-forward
netgrp
netmask
Netscape 332
network
router info bgp 590
Network Layer Reachability Information (NLRI) 227
Network Processing Unit (NPU) 366
Network Time Protocol (NTP) 331, 332
network-import-check
router bgp 201
network-longer-prefixes
router info bgp 590
network-type
next 35
next-hop-self
NRLI prefix
router bgp 204
nssa-default-information-originate
nssa-default-information-originate-metric
nssa-default-information-originate-metric-typ 229
nssa-redistribution 229
nssa-translator-role 229
ntpserver
system global 331
ntpsync
system global 331
O
obfsucate-user
obfuscated 330
offset
old-version
imp2p 145
onlink-flag
operating mode
system settings 393
opmode
system settings 394
634 01-30005-0015-20070803
Index
optimize
system global 331
option
options
spamfilter 276
order
OSPF 224, 402
RFC 2328 224
TOS application routing 402
ospf
ABR 224
RFC 3509 226
router 224
OSPF, clear router 554
other-traffic
log filter 164
outbound
firewall policy 96
Outbound Routing Filter (ORF) 203
output-device
router policy 240
override
system ha 340
override-capability
oversized
log filter 164
ovrd-auth-https
ovrd-auth-port
owner id
P
p2p 115
packet size
for wireless network 406
padt-retry-timeout
PAP 349
passive
passive-interface
router ospf 227
router rip 246
passphrase 407
passwd
system modem 364
user local 423
password
system alertemail 298
system ha 340
user ldap 421
PAT
virtual IPs 130
paths
router info bgp 590
pattern
log filter 164
pattern-type
peer
peergrp 457
peerid 457
Peer-to-Peer, message if blocked 382
peertype 458
performance info 615
Perl regular expressions, using 47
pfs
phase1name
phone
system modem 364
PIM, dense-mode 218
PIM, sparse-mode 218
pim-mode
ping, execute 545
ping6, execute 548
ping-options, execute 546
policy
firewall 92
imp2p 146
router 239
policy check 333
policy check, skipping 333
poll-interval
poolname
firewall policy 96
pop3
pop3oversizelimit
pop3-spamaction
pop3-spamtagmsg
Index
01-30005-0015-20070803 635
pop3-spamtagtype
port 174
antivirus service 78
user fsae 414
user ldap 420
port 8890 308
port address translation
virtual IPs 130
port range 330
portal-heading
portforward
firewall vip 132
power_level
ppp
log filter 164
PPPoE 304
PPPoE Active Discovery Terminate (PADT) 353
PPPoE auth 349
pptp
vpn 479
preferences
GUI console 138
GUI topology viewer 139
preferred-life-time
prefix
router ospf area range 230
router ospf network 233
router rip network 250
prefix-list
router info bgp 590
prefix-list-in
prefix-list-out
Pre-shared Key (PSK) 356
primary
system dns 317
priority
firewall policy 96
system ha 340
system modem 365
profile
firewall 101
firewall policy 96
profile-status
firewall policy 96
propagation-delay
proposal
vpn ipsec phase1 451, 459
protocol
firewall vip 132
router ospf distribute-list 232
router policy 240
protocol-number
proxy ARP 130
FortiGate interface 130
IP pool 130
virtual IP 130
Proxy ID Destination
IPSec interface mode 589
Proxy ID Source
proxy-arp
system 367
psksecret 459
purge 34
Q
quarantine
antivirus 75
quarfilepattern
antivirus 77
quar-to-fortianalyzer
query-v1-port
query-v1-status
query-v2c-port
query-v2c-status
quotafull
log fortiguard setting 172
quote-regexp
router info bgp 590
R
RADIUS 331, 356
radius
user 428
RADIUS authentication 54
radius-auth
system admin 296
636 01-30005-0015-20070803
Index
radius-group
system admin 296
radius-port
system global 331
radius-server
user local 423
rating
webfilter ftgd-local-rating 500
reboot, execute 549
recalling commands 44
received route, looping 199
receive-version
redial
system modem 365
redir-url
user group 418
refresh
system global 331
regexp
router aspath-list 194
router info bgp 590
Remote Gateway
VPN IPSec monitor field 589
remote-as
remoteauthtimeout
system global 331
remote-gw
remotegw-ddns
remote-ip
remote-spi
remotespi
remove-private-as
rename 34
repeat-count
replacemsg auth 369, 371, 374
system 374
replacemsg ftp
system 376
replacemsg http
system 380
replacemsg im
sytem 382
replacemsg mail
system 384
replacemsg spam
system 388
replacemsg sslvpn
system 390
replay
log 179
report definition
log 180
report filter
log 181
report output
log 182
report period
log 184
report schedule
log 185
report scope
log 186
report selection
log 188
report settings 292
log 189
reqclientcert
Request to Send (RTS) 356
reset-sessionless-tcp
system global 332
resolve
resolve-host
resolve-service
restart-time
system global 332
restore, execute 550
result
retain-stale-time
retransmit-interval
rev
ips group 588
RFC 1112 215
RFC 1583 228, 402
RFC 1700 391
RFC 1771 196
RFC 1966 196
RFC 1997 196
RFC 1997, BGP community-list 209
RFC 2132 315
RFC 2236 215
RFC 2328 224
RFC 2616 308
Index
01-30005-0015-20070803 637
RFC 3065 196
RFC 3376 215
RFC 3509 226
RFC 3513 357
RFC 791 402
rfc1583-compatible
router ospf 228
rip
router 245
rolled_number 535
roll-schedule
disk setting 167
roll-time
route
route, suppressed 199
route-flap 199
routegrp
route-hold
system ha 340
route-limit 217
route-map
router 253
router bgp redistribute 208
router info bgp 590
routemap
route-map-in
route-map-out
router 191
router clear bfd, execute 553
router clear bgp, execute 552
execute 554
router configuration 292
router info
ospf 595
protocols 597
rip 598
routing table 599
router info bgp 590
router restart, execute 555
router-alert-check
config router multicast config interface config igmp
220
route-reflector-client
router-id
router bgp 201
router ospf 228
route-server-client
route-threshold 217
route-ttl
system ha 340
route-wait
system ha 341
routing
blackhole 355, 360
routing failover 350
routing table priority 365
routing table, displaying entries in 599
routing, administrative distance 351
routing, flap 200
routing, inter-VDOM 53
rp-candidate
rp-candidate-group
rp-candidate-interval 219
rp-candidate-priority 219
rsa-certificate
RST out-of-window checking 329
rule
rule-id
ips group 587
Runtime-only config mode 326
runtime-only configuration mode 329
S
SACK 332
scan
router info bgp 590
scan-bzip2
scan-time
router bgp 201
schedule
firewall policy 96
system ha 341
schedule onetime
firewall 123
schedule recurring
firewall 124
scope
score
webfilter bword 493
scripts 312
secondary
system dns 317
secondary-image
execute restore 551
secondary-vcluster
system ha 342
secret
user radius 428
secure copy (SCP) 327
638 01-30005-0015-20070803
Index
secure-vlan, firewall policy 96
security
selection
log report selection 188
send-community
send-lifetime
send-version
send-version1-compatible 249
server
log webtrends setting 176
syslogd setting 174
user fsae 414
user ldap 420
user radius 428
webtrends setting 176
servercert
server-type
service
antivirus 78
firewall policy 96
service custom
firewall 126
service group
firewall 128
service predefined
firewall 129
Service Set ID (SSID) 357
session table 332
session-helper
system 391
session-pickup
system ha 341
session-ttl 392
RFC 1700 391
system 392
set 35
set-aggregator-as
set-aggregator-ip
set-aspath
set-atomic-aggregate
set-community
set-community-additive 257
set-community-delete
set-dampening-max-suppress 257
set-dampening-reachability-half-life
set-dampening-reuse 257
set-dampening-suppress 257
set-dampening-unreachability-half-life
set-extcommunity-rt
set-extcommunity-soo
set-ip-nexthop
set-metric
set-metric-type
set-next-reboot, execute 556
set-tag
setting
alertemail 64
setting administrative access for SSH or Telnet 31
setting page length 47
settings
system 393
severity
ips anomaly 152
log filter 164
shortcut
shortest path first (SPF) 228
shutdown
shutdown, execute 557
signature
ips custom 154
log filter 164
signature reporting 329
single-source
sip
vpn l2tp 477
vpn pptp 479
skype 117
smtp 118
SMTP server 311
SMTP, blocked email 388
smtpoversizelimit 119
smtp-spamaction 119
smtp-spamhdrip 119
smtp-spamtagmsg 119
smtp-spamtagtype 119
SNMP
v1 397
v2c 397
snmp community
system 396
snmp sysinfo
system 400
Index
01-30005-0015-20070803 639
socket-size 155
soft-reconfiguration
source
system ipv6-tunnel 361
spaces, entering in strings 45
spam filter configuration 292
spamfilter 263
spamgrp
spamwordthreshold 120
Spanning Tree Protocol (STP) 354
special characters, where they are allowed 46
speed
spf-timers
router ospf 228
split-horizon
split-horizon-status
src
router policy 240
srcaddr
firewall policy 96
src-addr-type
src-end-ip
srcintf
firewall policy 96
src-name
src-port
src-start-ip
src-subnet
srv-ovrd
ssh
execute 558
SSH configuration information 613
ssid
ssl monitor
vpn 481
sslv2
SSL-VPN
login page 390
user group variables 418
sslvpn-auth
firewall policy 97
sslvpn-cache-cleaner
user group 418
sslvpn-ccert
firewall policy 97
sslvpn-cipher
firewall policy 97
sslvpn-client-check
user group 418
sslvpn-enable 483
sslvpn-samba
user group 419
sslvpn-telnet
user group 419
sslvpn-tunnel
user group 418
sslvpn-webapp
user group 419
start
firewall schedule onetime 123
start-ip
firewall address 82
system dhcp server config exclude-range 315
startip
firewall ippool 89
start-port
router policy 240
state-refresh-interval
static
router 259
static6
router 261
status
administrators 601, 614
antivirus grayware 73
antivirus quarfilepattern 77
chassis 578
firewall policy 97
FortiAnalyzer connection 607
FortiGuard log service 608
FortiGuard service 609
HA 610
hardware 583
IPS anomalies 584
ips anomaly 152
IPS custom signatures 586
ips group 587
IPS groups 587
log fortianalyzer setting 170
log fortiguard setting 172
log memory setting 173
640 01-30005-0015-20070803
Index
status (continued)
log webtrends setting 176
router bgp redistribute 208
sessions 617
syslogd setting 174
system 618
system autoupdate clientoverride 301
system autoupdate override 303
system cmdb 605
system fm 318
system modem 365
system performance 615
user local 423
vpn l2tp 477
vpn pptp 479
webfilter ftgd-local-rating 500
stop
store-blocked
store-heuristic
store-infected
stpforward
strict-capability-match
strong encryption 332
strong-crypto
system global 332
stub-type
style
subnet
firewall address 82
subst
substitute
substitute-dst-mac
substitute-status
summary
router info bgp 590
summary-column
summary-only
summary-reports
swfport, firewall policy 97
switch view
enabling on FortiGate-224B 332
switchport, switch 287, 288
switch-view, system global 332
switch-VLAN configuration 281
swtport, firewall policy 97
SYN packets 329
sync-config
system ha 341
synchronization
router bgp 201
syncinterval
system global 332
sysgrp
syslogd filter
log 162
syslogd setting
log 174
syslogd2 setting
log 174
syslogd3 setting
log 174
system admin list 600
system admin status 601
system checksum 604
system dashboard 606
system fortianalyzer-connectivity 607
system fortiguard-log-service status 608
system fortiguard-service status 609
system ha status 610
system info admin ssh 613
system info admin status 614
system performance status 615
system session list 617
system status 618
T
tag
TCP port, session helpers 391
tcp-halfclose-timer
system global 332
Index
01-30005-0015-20070803 641
tcp-option
system global 332
tcp-portrange
technical support 19
telnet, execute 559
threshold 152
ips anomaly 152
time
execute 560
time synchronization 332
time zone 332
Timeout
timeout
system session-ttl 392
timeout-timer
router rip 246
timestamp 332
time-to-live (TTL) 394
timezone
system global 332
title
log report definition 180
top1
top2
topN
topology status
get 582
topology viewer status 582
topology, gui 139
tos
tos-based-priority
system 402
tp-mc-skip-policy
system global 333
traceroute, execute 561
traffic
log filter 164
Traffic Indication Messages (TIM)
trafficfilter
log 177
trafficshaping
firewall policy 97
transmit-delay
router ospf interface 236
transparent mode, changing 394
trap-v1-lport
trap-v1-rport
trap-v1-status
trap-v2c-lport
trap-v2c-rport
trap-v2c-status
troubleshooting
memory low 217
trusthost1, trusthost2, trusthost3
system admin 296
ttl
ttl-threshold
tunnel, GRE
system 335
tunnel-endip 483
tunnel-startip
type
firewall address 82
firewall vip 132
log report period 184
log report schedule 185
user ldap 421
user local 423
webfilter ftdg-ovrd 501
Type of Service (TOS) 333
type of service (TOS)
RFC 1583 402
RFC 791 402
U
UDP 303
udp-portrange
uncompnestlimit
uncompsizelimit
undefinedhost
unicast 250
uninterruptable-upgrade
system ha 342
unset 35
unsuppress-map
update index
update-av, execute 562
updategrp
update-ips, execute 563
update-now, execute 564
642 01-30005-0015-20070803
Index
update-source
update-timer
router rip 247
updgrp
upd-vd-license, execute 565
upload
upload-delete
upload-delete-files
upload-destination
upload-dir
uploaddir
upload-gzipped
upload-ip
uploadip
uploadpass
upload-password
uploadport
uploadsched
upload-server-type
uploadtime
uploadtype
uploaduser
upload-username
uploadzip
url
url-filter
log filter 164
urlfilter
webfilter 503
usb-disk, execute 566
user 411
user-group
username
alertemail setting 65
status modem 365
user ldap 421
username-smtp
using the CLI 27
usrgrp
vpn ipsec phase1 452, 460
vpn l2tp 477
vpn pptp 479
V
validate-reply
valid-life-time
vcluster2
system ha 342
VDOM
management 295
vdom 331
configure VDOMs 60
system admin 297
system ha 342
vdom-link
system 403
ver-1
version
IGMP 220
router multicast interface igmp 220
router rip 247
view-settings
violation
log filter 164
vip
firewall 130
vip group, grouping vip, vipgrp 135
VIP range 333
vip-arp-range
system global 333
virtual clustering 337
Virtual Domain (VDOM) 565
virtual IP 130
PAT 130
port address translation 130
virtual-links
virus
log filter 165
vlanforward
vlanid
vpn 431
vpn certificate ca
execute 570
Index
01-30005-0015-20070803 643
vpn certificate crl
execute 572
vpn certificate local, execute 567
VPN configuration 292
vpn sslvpn del-tunnel, execute 574
vpngrp
vpntunnel
firewall policy 97
W
web
log filter 165
web browser support 332
web filtering, blocked pages 374
web-content
log filter 165
webfilter 491
webfilter configuration 292
web-filter-activex
log filter 165
web-filter-applet
log filter 165
webfilter-cache
webfilter-cache-ttl
web-filter-cookie
log filter 165
webfilter-status
webfilter-timeout
webgrp
weblists
webtrends filter
log 162
webtrends setting
log 176
webwordthreshold 120
weight
system ha 342
WEP key 356, 407
where
wifi-acl
wifi-broadcast_ssid
wifi-fragment_threshold
wifi-key
wifi-mac-filter
wifi-passphrase
wifi-radius-server
wifi-rts_threshold
wifi-security
wifi-ssid
wildcard
system admin 296
wildcard pattern matching 48
Windows Active Directory
configuring FSAE 414
refresh user group info via FSAE 522
winny
winny-limit 120
wins-ip
wins-server
wireless interface access control 356
wireless mac-filter
system 405
wireless settings
system 406
wireless, synchronize 406
word boundary
Perl regular expressions 48
X
xauthtype
Y
yahoo
imp2p policy 146
yahoo-user
imp2p 147
Z
zone, system 409
644 01-30005-0015-20070803
Index
www.fortinet.com
www.fortinet.com

FortiGate CLI Reference 01-30005-0015-20070803

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

FortiGate CLI Reference 01-30005-0015-20070803

Transféré par

Droits d'auteur :

Formats disponibles

www.fortinet.

Vous aimerez peut-être aussi